none
"Last Login" Reports for Active Directory (2003)

    Question

  • I am looking for a good utility that would allow me to run reports against my AD domain that would provide users last login information. This was I would know who is active with in AD.

    Thank you in advance
    Thursday, July 03, 2008 7:34 PM

Answers

  •  

    Hi,

    You can use the lastLogonTimestamp attribute to help identify unused computer and user accounts. The  lastLogonTimestamp attribute is replicated across all the domain controllers for each domain.   Therefore, you can use a single query to find all the users or all the computers that have not logged in within a certain time. To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level. 

     

    You cannot use the lastLogonTimestamp attribute in all cases. In Windows Server 2003, the lastLogonTimestamp is not updated in all cases.  Currently, only Kerberos and NTLM interactive logons update the lastLogonTimestamp attribute.  Microsoft recommends that you only use this attribute when you are sure that all the domain users regularly use Kerberos authentication.

     

    Windows Server 2003 does not update the lastLogonTimestamp attribute in the following cases:

    - Certificate mapping through Microsoft Internet Information Services (IIS).

    - Username and password authentication through IIS.

    - Microsoft .NET Passport mapping through IIS.

    - All Service-for-User (S4U) authentication paths.

     

    More informatin:
    ===============

    lastLogon

    http://msdn.microsoft.com/library/en-us/adschema/adschema/a_lastlogon.asp

     

    lastLogonTimeStamp

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lastlogontimestamp.asp


    In order to conveniently retrieve each user's last logon attribute, you may need to create a script. If you encounter any problem to make a script. I'd like to suggest you post script related questions to our MSDN queue. The engineers and communities there are more specialized in creating script and will assist you in a more efficient manner.

     

    MSDN Public newsgroup

    http://msdn.microsoft.com/newsgroups/default.asp

     

    MSDN Forum:

    http://forums.microsoft.com/msdn



    I listed the following information for your reference:

     

    Script Center

    http://www.microsoft.com/technet/scriptcenter/default.mspx

     

    Fine a VBScript

    http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

     

    Hope it helps.

    Friday, July 04, 2008 10:11 AM

All replies

  • You can retrieve this information fairly easily with a script or with a tool like CSVDE and then visualize it any way you prefer, say Excel.
    One thing to keep in mind is that the lastlogon attribute is not replicated between domain controllers so you will have to query each one to get the full picture. The lastLogonTimestamp is replicated, although only with a 14 day interval.

    See this link for further information
    http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx
    Thursday, July 03, 2008 8:45 PM
  •  

    Hi,

    You can use the lastLogonTimestamp attribute to help identify unused computer and user accounts. The  lastLogonTimestamp attribute is replicated across all the domain controllers for each domain.   Therefore, you can use a single query to find all the users or all the computers that have not logged in within a certain time. To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level. 

     

    You cannot use the lastLogonTimestamp attribute in all cases. In Windows Server 2003, the lastLogonTimestamp is not updated in all cases.  Currently, only Kerberos and NTLM interactive logons update the lastLogonTimestamp attribute.  Microsoft recommends that you only use this attribute when you are sure that all the domain users regularly use Kerberos authentication.

     

    Windows Server 2003 does not update the lastLogonTimestamp attribute in the following cases:

    - Certificate mapping through Microsoft Internet Information Services (IIS).

    - Username and password authentication through IIS.

    - Microsoft .NET Passport mapping through IIS.

    - All Service-for-User (S4U) authentication paths.

     

    More informatin:
    ===============

    lastLogon

    http://msdn.microsoft.com/library/en-us/adschema/adschema/a_lastlogon.asp

     

    lastLogonTimeStamp

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lastlogontimestamp.asp


    In order to conveniently retrieve each user's last logon attribute, you may need to create a script. If you encounter any problem to make a script. I'd like to suggest you post script related questions to our MSDN queue. The engineers and communities there are more specialized in creating script and will assist you in a more efficient manner.

     

    MSDN Public newsgroup

    http://msdn.microsoft.com/newsgroups/default.asp

     

    MSDN Forum:

    http://forums.microsoft.com/msdn



    I listed the following information for your reference:

     

    Script Center

    http://www.microsoft.com/technet/scriptcenter/default.mspx

     

    Fine a VBScript

    http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

     

    Hope it helps.

    Friday, July 04, 2008 10:11 AM
  • There's a third party solution, Adaxes .

    With its help you can generate a report that will help you view users who have logged on over the last days.

    The report is called "Recently Logged On Users"


    Thank you.

    Wednesday, July 28, 2010 11:09 AM
  • Howdie!
     
    On 28.07.2010 13:09, ____-Bent wrote:
    > There's a third party solution, Adaxes <http://www.adaxes.com> .
    >
    > With its help you can generate a report that will help you view users
    > who have logged on over the last days.
     
    Yeah, that's fine. And why exactly should I pay $$$ for something a
    different, free ware tool would do for me? oldCMP on joeware.net does
    that pretty well. Free.
     
    Cheers,
    Florian
     
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Wednesday, July 28, 2010 12:14 PM
  • I'm actually in the middle of writing a program that will do this as we speak :) It will be completely free for anyone to use on any number of users/domains that they like. Its a GUI application (rather than command line) and it checks the last logon of computer accounts and user accounts and lets you do any of the following things with accounts that have not logged in over X number of days: Disable, Move, Delete, Update Description, Add To Group, Remove From Group, Remove From All Groups, Export To CSV. Its very much a work in progress (I started making it about a week ago) but here's what it looks like in its current form: http://i135.photobucket.com/albums/q160/chriswright128/ADTidy1.jpg

    The app should be finished within the next 2 weeks so if anyone is interested then check my blog for updates soon (cjwdev.wordpress.com)

    I really hope no one sees this as someone just coming on here to advertise their software because for one thing I came here to ask a question but just happened to see this thread on the first page - more importantly though, I will make absolutely no money from this application and I dont make any money from any other programs that I make either so its not as if I'm just trying to advertise my software in general by giving away a free app or anything like that. I've got a few other little free utilities I've written available on my blog already (along with loads of VB.NET code and a few class libraries I've made for any other .NET developers) and I genuinely just write these apps to help other people out. I guess if a moderator feels that this is not appropriate then fair enough, remove this post, but I think it will do exactly what the OP wants and may be useful to others reading this post (plus like I said, I get nothing from it so its not for my own benefit)

    Chris


    My .NET Windows API Library: http://cjwdev.wordpress.com/2010/07/04/cjwdev-windowsapi-api-pack-released/
    Wednesday, July 28, 2010 6:40 PM
  • Gentlemen:

    I know is an old thread but figure that somebody may be looking for this. Is actually simpler than that and you can do this through ADUC using a Query.  Just take the following code and save it as .xml and import it to your ADUC console. The example is set for users not logged on in the last 90 days. If you want a different timespan, simply change the string <FILTERLASTLOGON>90</FILTERLASTLOGON> to suit your need and save it as xml. Your AD must be set to support querying this of course. I made it work for workstations also so I can cleanup AD of old computer accounts.

    <QUERY><NAME>Users not logged &gt;90d</NAME><DESCRIPTION></DESCRIPTION><DN></DN><FILTERLASTLOGON>90</FILTERLASTLOGON><LDAPQUERY>(&amp;(objectCategory=person)(objectClass=user))</LDAPQUERY><ONELEVEL>FALSE</ONELEVEL><COLUMNID>{14AB323B-D6AA-4B62-9867-C6038B883CE1}</COLUMNID><DSQUERYUIDATA>050000000c00000043006f006d006d006f006e00510075006500720079000000020000000308000000480061006e0064006c00650072000000100000005ee6238ac231d011891c00a024ab2dbb030500000046006f0072006d00000010000000cbe7168cc2172947a6698474d6712b81080000004400730051007500650072007900000002000000010900000056006900650077004d006f0064006500000004130000010d00000045006e00610062006c006500460069006c007400650072000000000000002a00000028006f0062006a00650063007400430061007400650067006f00720079003d0070006500720073006f006e00290028006f0062006a0065006300740043006c006100730073003d0075007300650072002900000005000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000010d000000440069007300610062006c00650043006800650063006b00000000000000010f0000004e006f006e0045007800700050007700640043006800650063006b00000000000000010f0000004c006100730074004c006f0067006f006e0043006f006d0062006f000000020000001a00000028006f0062006a00650063007400430061007400650067006f00720079003d0063006f006d00700075007400650072002900000003000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000010d000000440069007300610062006c00650043006800650063006b000000000000001700000028006f0062006a00650063007400430061007400650067006f00720079003d00670072006f00750070002900000002000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000</DSQUERYUIDATA></QUERY>
    
    

    Good luck! Hope it helps somebody

    Alfredo Larracuente, Stroghold System Solutions Corp. Guaynabo, Puerto Rico USA

    Friday, August 20, 2010 1:27 AM
  • Gentlemen:

    I know is an old thread but figure that somebody may be looking for this. Is actually simpler than that and you can do this through ADUC using a Query.  Just take the following code and save it as .xml and import it to your ADUC console. The example is set for users not logged on in the last 90 days. If you want a different timespan, simply change the string <FILTERLASTLOGON>90</FILTERLASTLOGON> to suit your need and save it as xml. Your AD must be set to support querying this of course. I made it work for workstations also so I can cleanup AD of old computer accounts.

    <QUERY><NAME>Users not logged &gt;90d</NAME><DESCRIPTION></DESCRIPTION><DN></DN><FILTERLASTLOGON>90</FILTERLASTLOGON><LDAPQUERY>(&amp;(objectCategory=person)(objectClass=user))</LDAPQUERY><ONELEVEL>FALSE</ONELEVEL><COLUMNID>{14AB323B-D6AA-4B62-9867-C6038B883CE1}</COLUMNID><DSQUERYUIDATA>050000000c00000043006f006d006d006f006e00510075006500720079000000020000000308000000480061006e0064006c00650072000000100000005ee6238ac231d011891c00a024ab2dbb030500000046006f0072006d00000010000000cbe7168cc2172947a6698474d6712b81080000004400730051007500650072007900000002000000010900000056006900650077004d006f0064006500000004130000010d00000045006e00610062006c006500460069006c007400650072000000000000002a00000028006f0062006a00650063007400430061007400650067006f00720079003d0070006500720073006f006e00290028006f0062006a0065006300740043006c006100730073003d0075007300650072002900000005000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000010d000000440069007300610062006c00650043006800650063006b00000000000000010f0000004e006f006e0045007800700050007700640043006800650063006b00000000000000010f0000004c006100730074004c006f0067006f006e0043006f006d0062006f000000020000001a00000028006f0062006a00650063007400430061007400650067006f00720079003d0063006f006d00700075007400650072002900000003000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000010d000000440069007300610062006c00650043006800650063006b000000000000001700000028006f0062006a00650063007400430061007400650067006f00720079003d00670072006f00750070002900000002000000010a0000004e0061006d00650043006f006d0062006f00000000000000010a000000440065007300630043006f006d0062006f00000000000000</DSQUERYUIDATA></QUERY>
    
    
    
    

    Good luck! Hope it helps somebody

     

    Alfredo Larracuente, Stroghold System Solutions Corp. Guaynabo, Puerto Rico USA

    Pretty sure that doesn't query each DC though... which means you won't get accurate results.
    My website: www.cjwdev.co.uk My blog: cjwdev.wordpress.com
    Thursday, November 04, 2010 1:12 PM
  • Someone above commented that the lastlogonstamp is replicated each 14 days. Good enough for me!
    Tuesday, February 15, 2011 9:30 PM
  • Hi,

    I have a follow up question about login types (Kerberos & NTLM Interactive logons).  Do they map to login type 2 and 3 in the logon event, and assume Types 4 and up would not get recorded?

    We are trying to assess the extent of usefulness of the attribute.

    Thanks much in advance!

    Logon type Logon title Description

    2

    Interactive

    A user logged on to this computer.

    3

    Network

    A user or computer logged on to this computer from the network.

    4

    Batch

    Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

    5

    Service

    A service was started by the Service Control Manager.

    7

    Unlock

    This workstation was unlocked.

    8

    NetworkCleartext

    A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

    9

    NewCredentials

    A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

    10

    RemoteInteractive

    A user logged on to this computer remotely using Terminal Services or Remote Desktop.

    11

    CachedInteractive

    A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

    Wednesday, September 28, 2011 8:27 PM
  • Sorry for the late reply....You can use JiJi Active Directory Reports tool to run reports again AD domain.......

    http://www.jijitechnologies.com/

    http://www.jijitechnologies.com/jiji-active-directory-reports.aspx

    Saturday, March 17, 2012 10:16 AM