locked
Domain user last logon RRS feed

  • Question

  • Hi,

    I need to know users las logon date. I can not find events in security log because we have many log entries and logs overwrites every 3 days. On one dc (we have 2DCs) I run and got:

    C:\Users\baipuser>net user developer
    User name                    developer
    Full Name                     For development
    Comment
    User's comment
    Country code                 000 (System Default)
    Account active               Yes
    Account expires              Never
    Password last set            2010.09.03 07:08:47
    Password expires             Never
    Password changeable          2010.09.03 07:08:47
    Password required            Yes
    User may change password     Yes
    Workstations allowed         All
    Logon script
    User profile
    Home directory
    Last logon                   2011.12.21 08:12:36
    Logon hours allowed          All
    Local Group Memberships
    Global Group memberships     *Domain Admins        *Domain Users
    The command completed successfully.


    I found las logon date. Is this date real and can I give it to my CEO? where this date is stored?

    The strange thing that account was modified on 2012.08.01 02:12:01. But no one except me could do that, but did not modified the account.

    Is any way to explain this?

    • Edited by jori5 Wednesday, August 22, 2012 5:34 AM
    Wednesday, August 22, 2012 5:26 AM

Answers

  • Hello,

    Please read Richard Mueller (MVP) answer in this link and use his VBScript:

    Finding the accurate last logon time of an AD account

    Regards

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:26 AM
    Wednesday, August 22, 2012 9:32 PM
  • Last logon to domain environment for some users is critical information.

    As you mentioned these two attributes does not give me excact information. So what solution is better to use? event logs?

    Neither lastlogon not lastlogontimestamp attribute provide you accurate information of the last logon. The lastlogontimestamp (its updated 9-14 days) can be updated during network logon, service authentication , interactive logon etc.

    To fetch the accurate information, you have to rely on the event log. If the DC's event log is replaced after 3 days, then you don't have any option. Its better to start archiving the security event log on the DC because sometimes it might be required due to legal bindings too.

    If you got windows 2008/Vista & above Oses, you can utilize newly introduced attribute to query last logon information, but with older OS, there is no accurate way apart from the event log.

    http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#lastlogon

    http://technet.microsoft.com/en-us/library/dd446680%28v=ws.10%29.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:25 AM
    Wednesday, August 22, 2012 9:02 AM
  • Last logon to domain environment for some users is critical information.

    As you mentioned these two attributes does not give me excact information. So what solution is better to use? event logs?


    LastLogontimeStamp will be 9-14 days behind the current date. If you want “real-time” logon tracking you will need to query the Security Event log on DC and search for Event ID 528 Windows XP\2003 and earlier or Event ID 4624 Windows Vista\2008.

    Additionally, If events are no more available than 3 days and you have 2008 and above DCs in a domain then you could check the domain ms-DS-Last-Successful-Interactive-Logon-Time attribute

    See this:  Windows Server 2008 Active Directory Domain Services Last Interactive Logon Information Feature
    http://www.msresource.net/paulw/windows_server_2008_active_directory_domain_services_last_interactive_logon_information_feature.html


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:26 AM
    Wednesday, August 22, 2012 6:36 PM

All replies

  • Hi,

    I would suggest you to use “The LastLogonTimeStamp Attribute”. Using this administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain.

    1. Using repadmin to check the value of lastLogontimeStamp on all DC's in a domain for one user:
    repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

    See the below article about more information and examples:
    “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

     


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Wednesday, August 22, 2012 5:38 AM
  • I found attribute through ADSI edit:

    lastLogontimeStamp -- 2012.08.01 02:12:01
    lastLogon -- 2011.12.21 08:12:36

    so wich information is real?

    • Edited by jori5 Wednesday, August 22, 2012 6:30 AM
    Wednesday, August 22, 2012 6:16 AM
  • From ASK DS blog above:
    The lastLogon attribute is not designed to provide real time logon information.

    Consider lastLogontimeStamp value. Also With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.

    If you are looking for more “real-time” logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008 .


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


    Wednesday, August 22, 2012 6:36 AM
  • Security logs are overwriting every 3 days as of heavy load.

    Do you mean that real las logon date will be around:

    lastLogontimeStamp -- 2012.07.15 02:12:01?

    Wednesday, August 22, 2012 6:55 AM
  • Hi, There are two attributes which could be used to check the last logon.

    lastLogon
    lastLogonTimeStamp

    the main difference between them is that lastLogon attribute stores information about last successful user logon only on that particular Domain Controller and it is NOT replicated to other Domain Controllers. By selecting the lastlogon attribute you cannot guarantee that you are getting the proper last logged in time stamp, instead, you are getting the last logon time on that particular domain controller.

    The small inconvenience of using the other attribute is that this is accurate between 9-14 days. However, it is far enough to determine when user was logged on to the domain the last time. So the best method ? Events ?? I have found some tools and scripts for finding the lats logon time from AD. 

    But in most of the cases the tools and scripts are reading the lastlogontimestamp attribute. This would be enough if you are trying to findout inactive users for 'n' number of days.



    Regards,
    Rahul A
    MCITP: MS SQL 2008 Development, MCITP: Enterprise Admin, MCTS: Windows vista, Windows 2008, MCSA Windows server 2003 security, ITIL Foundation V3
    My blog
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights

    Wednesday, August 22, 2012 7:32 AM
  • Last logon to domain environment for some users is critical information.

    As you mentioned these two attributes does not give me excact information. So what solution is better to use? event logs?

    Wednesday, August 22, 2012 8:09 AM
  • Last logon to domain environment for some users is critical information.

    As you mentioned these two attributes does not give me excact information. So what solution is better to use? event logs?

    Neither lastlogon not lastlogontimestamp attribute provide you accurate information of the last logon. The lastlogontimestamp (its updated 9-14 days) can be updated during network logon, service authentication , interactive logon etc.

    To fetch the accurate information, you have to rely on the event log. If the DC's event log is replaced after 3 days, then you don't have any option. Its better to start archiving the security event log on the DC because sometimes it might be required due to legal bindings too.

    If you got windows 2008/Vista & above Oses, you can utilize newly introduced attribute to query last logon information, but with older OS, there is no accurate way apart from the event log.

    http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#lastlogon

    http://technet.microsoft.com/en-us/library/dd446680%28v=ws.10%29.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:25 AM
    Wednesday, August 22, 2012 9:02 AM
  • Last logon to domain environment for some users is critical information.

    As you mentioned these two attributes does not give me excact information. So what solution is better to use? event logs?


    LastLogontimeStamp will be 9-14 days behind the current date. If you want “real-time” logon tracking you will need to query the Security Event log on DC and search for Event ID 528 Windows XP\2003 and earlier or Event ID 4624 Windows Vista\2008.

    Additionally, If events are no more available than 3 days and you have 2008 and above DCs in a domain then you could check the domain ms-DS-Last-Successful-Interactive-Logon-Time attribute

    See this:  Windows Server 2008 Active Directory Domain Services Last Interactive Logon Information Feature
    http://www.msresource.net/paulw/windows_server_2008_active_directory_domain_services_last_interactive_logon_information_feature.html


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:26 AM
    Wednesday, August 22, 2012 6:36 PM
  • Hello,

    Please read Richard Mueller (MVP) answer in this link and use his VBScript:

    Finding the accurate last logon time of an AD account

    Regards

    • Marked as answer by Rick Tan Friday, August 24, 2012 5:26 AM
    Wednesday, August 22, 2012 9:32 PM