Monday, December 10, 2012 8:43 PM
I am trying to capture the lastlogontimestamp but I having issues with account that authicated their Username and password through IIS and I am having issues. We are windows 2003 / 2008 with IIS6. Any help would be great?
The users logging in via IIS are not providing a time stamp to AD so does IIS keep access information so that we can pull the data from there?
Would upgrading to IIS7 help?
- Edited by bal-girl Tuesday, December 11, 2012 5:34 PM more information
Tuesday, December 11, 2012 3:15 AM
You can use repadmin command to track the the value of lastLogontimeStamp.See below link for the same.
“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”.
Determine Last Logon Time for a User
Active Directory User Last Logon
Tracking User Logon Activity Using Logon Events
If auditing is enable you can check the event log on DC to track the same.
For IIS related issue see this forum:http://forums.iis.net/
Hope this helps
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Monday, December 17, 2012 1:31 AM
Tuesday, December 11, 2012 4:59 AM
DLF should be 2003 or higher
Use the dsquery for LastLogonTimeStamp
Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr LastLogonTimeStamp >>output123.txt
The Excel formual in this article works great for any Active Directory Integer8 date (represented by a 64-bit integer), including accountExpires, pwdLastSet, and lastLogonTimeStamp. You divide the AD Integer8 value by 8.64 * 10^11 to convert the 100-nanosecond intervals into days. The constant 109205 in the formula adjusts for the number of days between January 1, 1601 (the "zero" date for integer8 values in AD) and December 31, 1899 (the "zero" date for Excel). But the number of days between the dates is actually 109206. Excel has a bug. If you check the date that corresponds to 1 in Excel, you get January 1, 1900. You find that 59 corresponds to February 28, 1900, 60 corresponds to February 29, 1900, and 61 corresponds to March 1, 1900. But 1900 was not a leap year. There was no February 29, 1900. To adjust for this bug, you use 109205 in the formula.
“LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
How to tell if lastLogontimeStamp is in sync
To verify if the lastLogonTime stamp is being updated and replicated as expected you can use repadmin.exe with the showattr switch. Some examples are given below. These examples are intended to demonstrate that lastLogontimeStamp is being updated within the window of 9-14 days and replicated to all DC’s in the domain. They are not an example of how to manage stale accounts.
1. Using repadmin to check the value of lastLogontimeStamp on all DC's in a domain for one user:
repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp >lastLogontimeStamp.txt
repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt
2. Using repadmin to dump the lastLogontimeStamp for all users in a domain including users that have no data in the lastLogontimeStamp attribute:
repadmin /showattr * /subtree /filter:"(&(objectCategory=Person)(objectClass=user))" /attrs:lastLogontimeStamp >lastLogontimeStamp.txt
3. Dump lastLogonTime stamp for users but only ones that have the attribute populated
repadmin /showattr * dc=domain,dc=com /subtree /filter:"((&(lastLogontimeStamp=*)(objectCategory=Person)(objectClass=user)))" /attrs:lastLogontimeStamp > lastLogontimeStamp-2-22-2009.txt
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin