Remove From My Forums

ldap query find active users

Question

0

Sign in to vote

Hi All,

I need help with ldap query . I search the internet and all I could find is

inactive user accts query for accounts that have NOT logged on the last x

days .

I need the reverse ldap query to find active/enabled user accounts that HAVE

logged on within the last 120 days.

Thanks in advance for your help.

Friday, October 5, 2012 3:08 PM

Reply

|

Quote

Answers

0

Sign in to vote
Hello,

As others mentioned, you can create an LDAP query which will query the lastlogontimestamp attribute to get approximately the last logon date of users. Based on it, you can determine the users which logged on recently. Here, note that the lastlogontimestamp can be delayed with 9-14 days behind the current date. If you want to get a more precise date, you have to query lastlogon attribute on each DC you have (This attribute is not replicated) and keep the highest value of it.

To get lastlogonattribute in a readable format with a batch file, refer to this thread: http://social.technet.microsoft.com/Forums/en/ITCG/thread/19d35656-2be4-4665-822e-34c111e07da2

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
Friday, October 5, 2012 6:18 PM

Reply

|

Quote

0

Sign in to vote
If you are using QMM and taking about DirectorySync filter, you can still use the same LDAP filter. But combing both can be a challenge inside QMM. You may want run this through QMM supports guys. It is not the LDAP issue. FYI..I have used many crazy filters inside QMM J
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/

This posting is provided AS IS with no warranties,and confers no rights.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
Friday, October 5, 2012 6:50 PM

Reply

|

Quote

Moderator

All replies

0

Sign in to vote

I like doing this using adfind from Joe Richards. There are other methods but the adfind example is below

http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)(lastlogontimestamp>={{LOCAL:2012/6/15}})" samaccountname -nodn

lastlogontimestamp is off by 9-14 days http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

There I asked for enabled users that have a lastlogontimestamp > June 15, 2012.

Thanks

Mike
http://adisfun.blogspot.com
Follow @mekline

Friday, October 5, 2012 3:37 PM

Reply

|

Quote

0

Sign in to vote
The issue is the “have logged on” part. You can get “some” information from “LastLogonTimeStamp”. Review the following article carefullly:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Here is an example using DSQUERY command:

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name LastLogonTimeStamp >>output.csv

Open output.csv in Excecl and convert the time using w32tm /ntte command.

UserAccoutnControl reference - http://portal.sivarajan.com/2011/08/searching-active-directory-using.html

More DSQuery commands - http://social.technet.microsoft.com/wiki/contents/articles/3537.active-directory-active-directory-domain-services-ad-ds-commands-and-scripts-en-us.aspx

Of course you can combine everything in single step using a batch file. Or you can use a PowerShell script.
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/

This posting is provided AS IS with no warranties,and confers no rights.
Friday, October 5, 2012 3:42 PM

Reply

|

Quote

Moderator

0

Sign in to vote
Hi Santhosh,

Thank you ..

I am using Quest AD migration manager and seems that I can only use ldap queries. I am trying to dirsync only active accounts: that have logged on within 120 days . I am have trouble formulating an ldap query that will be executed say daily . also, I won’t be able to specific a particular date in the query. cause ideally every time run the query it should find accounts logged on within last 120 days ..

"Santhosh Sivarajan-" wrote in message news:3c1c0044-9f48-4b85-9ce8-b78b82e0970e...

The issue is the “have logged on” part. You can get “some” information from “LastLogonTimeStamp”. Review the following article carefullly:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Here is an example using DSQUERY command:

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name LastLogonTimeStamp >>output.csv

Open output.csv in Excecl and convert the time using w32tm /ntte command.

UserAccoutnControl reference - http://portal.sivarajan.com/2011/08/searching-active-directory-using.html

More DSQuery commands - http://social.technet.microsoft.com/wiki/contents/articles/3537.active-directory-active-directory-domain-services-ad-ds-commands-and-scripts-en-us.aspx

Of course you can combine everything in single step using a batch file. Or you can use a PowerShell script.

Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/

This posting is provided AS IS with no warranties,and confers no rights.
Friday, October 5, 2012 4:01 PM

Reply

|

Quote

0

Sign in to vote
Hi Darren,

This can be achieved with the help of queries. But you may need to contact different DCs(for lastLogon) and compare the result for accurate information.

There is a tool named ADManager Plus, just look at the "Recently Logged on Reports" in it. This will give you list of users who logged in to the domain within a specific number of days(Active Users) after comparing with all DCs. you can use the trial version to get report.

Thanks and regards| Apu Pavithran
- Edited by Apu Pavithran Friday, October 5, 2012 5:34 PM
Friday, October 5, 2012 5:29 PM

Reply

|

Quote

0

Sign in to vote
Hello,

As others mentioned, you can create an LDAP query which will query the lastlogontimestamp attribute to get approximately the last logon date of users. Based on it, you can determine the users which logged on recently. Here, note that the lastlogontimestamp can be delayed with 9-14 days behind the current date. If you want to get a more precise date, you have to query lastlogon attribute on each DC you have (This attribute is not replicated) and keep the highest value of it.

To get lastlogonattribute in a readable format with a batch file, refer to this thread: http://social.technet.microsoft.com/Forums/en/ITCG/thread/19d35656-2be4-4665-822e-34c111e07da2

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
Friday, October 5, 2012 6:18 PM

Reply

|

Quote

0

Sign in to vote
If you are using QMM and taking about DirectorySync filter, you can still use the same LDAP filter. But combing both can be a challenge inside QMM. You may want run this through QMM supports guys. It is not the LDAP issue. FYI..I have used many crazy filters inside QMM J
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/

This posting is provided AS IS with no warranties,and confers no rights.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, October 15, 2012 7:23 AM
Friday, October 5, 2012 6:50 PM

Reply

|

Quote

Moderator

0

Sign in to vote

Hi,

I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

Regards,

Arthur Li

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Arthur Li

TechNet Community Support

Monday, October 8, 2012 7:09 AM

Reply

|

Quote

Moderator

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

ldap query find active users

Question

Answers

All replies