Scripting. Stuff. (By Froosh)

February 2, 2009

Tracking AD last logon times

Filed under: Active Directory, Windows — Tags: , , , — Robin Frousheger @ 1:13 pm

Do some quick searches, and you will find that lastLogon is a non-replicated property that indicates when each individual Domain Controller authenticated an account, and (for Windows Server 2003 Forest Functional level domains) the lastLogonTimestamp is a replicated attribute that only updates every 14 days (minimum), but will at least be consistent across all DCs.

This is reasonably useful information, and can be found just about everywhere. But what about non-Windows client logons? What happens if clients are authenticated via LDAP or Mac OSX? How can I trust that “inactive accounts” based on lastLogonTimestamp are truly inactive?

These are my results, your mileage may vary, and my results may be inconsistent with other opinions.

My test:

  1. create a new, never used, account in AD
  2. authenticate to ad with the new account from an LDAP client (apache 2.2 on an Ubuntu server in this case)
  3. check the lastLogon and lastLogonTimestamp attributes

My results:

  • lastLogon attributes were not updated on any DC. FAIL.
  • lastLogonTimestamp was updated, then replicated to all DCs. Success.

Conclusions:

  • Reports based on the lastLogonTimestamp can be trusted to provide a list of inactive accounts, as long as you are reporting on accounts older than 14 days. This applies to LDAP, and most likely other non-Windows client authentications.
  • Reports based on the lastLogon attribute can be much more accurate, but only for logons from Windows-based clients.  In a heterogenous environment, they are not to be trusted.
Advertisements

Blog at WordPress.com.