Answered by:
ldap query find active users

-
Hi All,I need help with ldap query . I search the internet and all I could find isinactive user accts query for accounts that have NOT logged on the last xdays .I need the reverse ldap query to find active/enabled user accounts that HAVElogged on within the last 120 days.Thanks in advance for your help.
Question
Answers
-
Hello,
As others mentioned, you can create an LDAP query which will query the lastlogontimestamp attribute to get approximately the last logon date of users. Based on it, you can determine the users which logged on recently. Here, note that the lastlogontimestamp can be delayed with 9-14 days behind the current date. If you want to get a more precise date, you have to query lastlogon attribute on each DC you have (This attribute is not replicated) and keep the highest value of it.
To get lastlogonattribute in a readable format with a batch file, refer to this thread: http://social.technet.microsoft.com/Forums/en/ITCG/thread/19d35656-2be4-4665-822e-34c111e07da2
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
-
If you are using QMM and taking about DirectorySync filter, you can still use the same LDAP filter. But combing both can be a challenge inside QMM. You may want run this through QMM supports guys. It is not the LDAP issue. FYI..I have used many crazy filters inside QMM J
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
All replies
-
I like doing this using adfind from Joe Richards. There are other methods but the adfind example is below
http://www.joeware.net/freetools/tools/adfind/index.htm
adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)(lastlogontimestamp>={{LOCAL:2012/6/15}})" samaccountname -nodn
lastlogontimestamp is off by 9-14 days http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
There I asked for enabled users that have a lastlogontimestamp > June 15, 2012.
Thanks
-
The issue is the “have logged on” part. You can get “some” information from “LastLogonTimeStamp”. Review the following article carefullly:
Here is an example using DSQUERY command:
dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name LastLogonTimeStamp >>output.csv
Open output.csv in Excecl and convert the time using w32tm /ntte command.
UserAccoutnControl reference - http://portal.sivarajan.com/2011/08/searching-active-directory-using.html
More DSQuery commands - http://social.technet.microsoft.com/wiki/contents/articles/3537.active-directory-active-directory-domain-services-ad-ds-commands-and-scripts-en-us.aspx
Of course you can combine everything in single step using a batch file. Or you can use a PowerShell script.
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights. -
Hi Santhosh,Thank you ..I am using Quest AD migration manager and seems that I can only use ldap queries. I am trying to dirsync only active accounts: that have logged on within 120 days . I am have trouble formulating an ldap query that will be executed say daily . also, I won’t be able to specific a particular date in the query. cause ideally every time run the query it should find accounts logged on within last 120 days .."Santhosh Sivarajan-" wrote in message news:3c1c0044-9f48-4b85-9ce8-b78b82e0970e...
The issue is the “have logged on” part. You can get “some” information from “LastLogonTimeStamp”. Review the following article carefullly:
Here is an example using DSQUERY command:
dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name LastLogonTimeStamp >>output.csv
Open output.csv in Excecl and convert the time using w32tm /ntte command.
UserAccoutnControl reference - http://portal.sivarajan.com/2011/08/searching-active-directory-using.html
More DSQuery commands - http://social.technet.microsoft.com/wiki/contents/articles/3537.active-directory-active-directory-domain-services-ad-ds-commands-and-scripts-en-us.aspx
Of course you can combine everything in single step using a batch file. Or you can use a PowerShell script.
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights. -
Hi Darren,
This can be achieved with the help of queries. But you may need to contact different DCs(for lastLogon) and compare the result for accurate information.
There is a tool named ADManager Plus, just look at the "Recently Logged on Reports" in it. This will give you list of users who logged in to the domain within a specific number of days(Active Users) after comparing with all DCs. you can use the trial version to get report.
Thanks and regards| Apu Pavithran
- Edited by Apu Pavithran Friday, October 05, 2012 5:34 PM
-
Hello,
As others mentioned, you can create an LDAP query which will query the lastlogontimestamp attribute to get approximately the last logon date of users. Based on it, you can determine the users which logged on recently. Here, note that the lastlogontimestamp can be delayed with 9-14 days behind the current date. If you want to get a more precise date, you have to query lastlogon attribute on each DC you have (This attribute is not replicated) and keep the highest value of it.
To get lastlogonattribute in a readable format with a batch file, refer to this thread: http://social.technet.microsoft.com/Forums/en/ITCG/thread/19d35656-2be4-4665-822e-34c111e07da2
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
-
If you are using QMM and taking about DirectorySync filter, you can still use the same LDAP filter. But combing both can be a challenge inside QMM. You may want run this through QMM supports guys. It is not the LDAP issue. FYI..I have used many crazy filters inside QMM J
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
-
Hi,
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
Arthur Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Arthur Li
TechNet Community Support