none
Domain users last login timestamp finding query

    Question

  • Hi,

    I have windows server 2008 R2 domain controller. I need to find all users based on last logon timestamp. what are things i need to do?


    Dhakshinamoorthy Balasubramanian
    Friday, December 23, 2011 4:05 PM

Answers

All replies

  • Do you want to determine the lastLogonTimeStamp value for all users, or do you want to query for all users where lastLogonTimeStamp is greater than or less than some value?

    To retrieve lastLogonTimeStamp for all users in an OU (or domain), you can use dsquery * at the command prompt of a domain controller, but the values are large integers (not converted into dates):

    dsquery * ou=West,dc=MyDomain,dc=com -Filter "(&(objectCategory=person)(objectClass=user))" -attr sAMAccountName lastLogonTimeStamp -Limit 0

    You can use w32tm.exe /ntte to convert any large integer into the corresponding date in the local time zone. For example:

    w32tm /ntte 129223000000000000


     

    results in the following (in my time zone)

    149563 15:46:40.0000000 - 6/29/2010 9:46:40 AM

    For better you will need to use a VBScript or PowerShell script. You can ask in the Scripting Guys forum:

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads


     Actually, best might be to use Joe Richards' free oldcmp utility, which can query for users based on lastLogonTimeStamp:

    http://www.joeware.net/freetools/tools/oldcmp/index.htm


    Richard Mueller - MVP Directory Services
    Friday, December 23, 2011 4:38 PM
  • I would do this with an LDAP filter.  Open ADUC and right click the domain name.  Select FIND.   In the FIND box select CUSTOM SEARCH.  Then click the ADVANCED tab.   You will create your LDAP query here.  (Alternatively, you can use third party software such as Hyena for this....)

     Consider the following:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(lastLogonTimeStamp<=129644244000000000))

    You will notice that lastLogonTimeStamp is actually stored in "Integer 8" format.  You will need a program to convert a real date/time to Integer 8 format for use in LDAP queries.   (The user account control statements are excluding Disabled Users and Users that have non-expiring passwords) 

    Here are the scripts I wrote to convert a date/time to Integer 8 format for the use in LDAP filters.    :

    manualcall.bat:

    @echo off

    set /p _date=Date to Convert(2/5/2004 4:58:58 PM):

    echo %_date%

    cscript date2Integer8.vbs "%_date%"

    pause

    ________________________________________________

     

    datetoInteger8.vbs

    Option Explicit

    Dim dtmDateValue, dtmAdjusted, lngSeconds, str64Bit
    Dim objShell, lngBiasKey, lngBias, k

    If (Wscript.Arguments.Count <> 1) Then
        Wscript.Echo "Required argument <DateTime> missing"
        Wscript.Echo "For example:"
        Wscript.Echo ""
        Wscript.Echo "cscript DateToInteger8.vbs ""2/5/2004 4:58:58 PM"""
        Wscript.Echo ""
        Wscript.Echo "If the date/time value has spaces, enclose in quotes"
        Wscript.Quit
    End If

    dtmDateValue = CDate(Wscript.Arguments(0))

    ' Obtain local Time Zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
        & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
        lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
        lngBias = 0
        For k = 0 To UBound(lngBiasKey)
            lngBias = lngBias + (lngBiasKey(k) * 256^k)
        Next
    End If

    ' Convert datetime value to UTC.
    dtmAdjusted = DateAdd("n", lngBias, dtmDateValue)

    ' Find number of seconds since 1/1/1601.
    lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)

    ' Convert the number of seconds to a string
    ' and convert to 100-nanosecond intervals.
    str64Bit = CStr(lngSeconds) & "0000000"
    Wscript.Echo "Integer8 value: " & str64Bit

     

    Friday, December 23, 2011 8:42 PM
  • ALso, just an FYI......  LastLogonTimeStamp is a "loosely" replicated attribute that may or (most likely) may not represent the actaul last logon time of the user or computer.   The attribute can be as many as 14 days off the actual logon. 

    If you need the actual last logon time of an account you would need to query EVERY domain controller in the domain for the "LastLogon" attribute of the account.   This attribute is not replicated at all between DC's.

    What I do is run my query above which returns a subset of accounts that I then run through another process which does in fact query every DC in the domain for the actual last logon time of all the accounts. 

     

     

    Friday, December 23, 2011 8:48 PM

  • I'd use a tool like adfind http://www.joeware.net/freetools/tools/adfind/index.htm or the Quest powershsll cmdlets as they do a better job of decoding the dates.

    adfind -default -f "&(objectcategory=person)(objectclass=user)" samaccountname lastlogontimestamp -tdc -nodn


    Alternately you can use third party software True Last Logon 2.9.You can export the file in excel for report creation.You can use the trial version this will achieve what you are looking for.

    True Last Logon displays the following Active Directory information:
    --Users real name and logon name
    --Detailed account status
    --Last Logon Date & Time
    --Last Logon Timestamp (Replicated value)
    --Account Expiry Date & Time
    --Enabled or Disabled Account
    --Locked Accounts
    --Password Expires
    --Password Last Set Date & Time
    --Logon Count
    --Bad Password Count
    --Expiry Date
    --You can also query for any other attribute (Example: Description, telephone Number, custom attibutes etc)

    Refer the below link for trial version:
    http://www.dovestones.com/products/True_Last_Logon.asp

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, December 24, 2011 12:55 AM
  • Hi,

    You can query lastlogontimestamp attribute in AD.

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    You can use lastlogin also to query, but lastlogin is not replicated to all DC, its only updated when users/computers logged on & if the lastlogin is 0 means user have never logged in.

    In addition, If you encounter any difficulties when writing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

    The Official Scripting Guys Forum!
    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Hope this helps!

    Best Regards
    Elytis Cheng


    Please remember to click “Mark as Answer” on the post that

    Elytis Cheng

    TechNet Community Support

    Monday, December 26, 2011 8:22 AM
    Moderator
  • If you are looking for lastlogonTimestamp attribute (which, as mentioned earlier has limited accuracy), then you can also use the script posted at http://sgwindowsgroup.org/blogs/badz/archive/2010/03/01/querying-for-the-lastlogontimestamp-attribute-of-all-users-in-an-ou.aspx

    Otherwise, you could check the lastLogon attribute - although this will require querying all DCs in the domain. A sample script is available at https://rbeltech.wordpress.com/2011/01/17/query-last-logon-for-all-active-directory-users-in-any-domain/

    Starting with Windows Server 2008, you also can take advantage of a set of new attributes related to interactive logons. More at http://blogs.dirteam.com/blogs/jorge/archive/2008/02/10/showing-last-logon-info-at-logon-in-windows-server-2008.aspx

    hth
    Marcin

    Monday, December 26, 2011 9:19 AM