Answered by:
LastLogonTimeStamp Attribute Not Updated for Computer Account Over SSL-VPN
Question
-
We like to use LastLogonTimeStamp (LLTS) to find stale computer accounts, disable them, and eventually delete time. What we have found is that domain member computers that connect to the domain exclusively by SSL-VPN (for instance in the case of employees who work from their home office) do not update LLTS. Consequently these computers frequently appear on stale computer reports.
I suppose the required logon type is never used when connecting over SSL-VPN. Therefore I would like to know if there is a way via a logon script or some other method that we can update this attribute.
Answers
-
That is normal as you connect to VPN using locally cached credentials for the user and the computer accounts.
My recommendation to track these computers is to have an agent that periodically report the computer status (Example: Using Microsoft Intune) or have a scheduled task that will run a script when the user is connected to VPN and register the computer name as active in a file that is hosted in a share.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link My Linkedin Profile My MVP Profile- Marked as answer by Frank Shen5Moderator Wednesday, February 4, 2015 2:05 AM
All replies
-
That is normal as you connect to VPN using locally cached credentials for the user and the computer accounts.
My recommendation to track these computers is to have an agent that periodically report the computer status (Example: Using Microsoft Intune) or have a scheduled task that will run a script when the user is connected to VPN and register the computer name as active in a file that is hosted in a share.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link My Linkedin Profile My MVP Profile- Marked as answer by Frank Shen5Moderator Wednesday, February 4, 2015 2:05 AM
-
For the purpose to find out obsolete account and disable or delete them, I would like to refer you on this informative blog that covers all the parts and helps to manage this task in more easier way : http://activedirectorycleanup.blogspot.in/2014/08/find-inactive-users-compueters-inAD.html
-
Wait, wait, wait... Wasnt the entire purpose of adding the lastLogonTimestamp attribute to help track inactive devices / stale records? If it doesn't get updated in a key technology use case, then you should open a support case with Microsoft. This is either a bug or a DCR.
Nash Pherson, Senior Systems Consultant
Now Micro - My Blog Posts
If you found a bug or want the product to work differently, share your feedback.
<-- If this post was helpful, please click the up arrow or propose as answer.- Edited by NPherson Thursday, February 11, 2016 2:42 PM