Thanks to the both of you. Much appreciated and the answer was more interesting than I initially thought it might be. Explains a few things that I've seen in Sec Logs and wasn't quite certain what they were.
Now, I know. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 03, 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Bingo. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, June 03, 2005 8:28 AM To: Send - AD mailing list Subject: RE: [ActiveDir] lastlogontimestamp- Kerberos requires that a principal name (SPN) be specified in order to locate keying material (computer accounts in AD speak) necessary to secure (encrypt) the ticket content (primarily the PAC) both in transit and within the ticket cache of the requesting user. Since IP addresses are not registered as SPNs (far too chatty), the use of an IP address prohibits the ability to identify the target computer's computer object thereby preventing the KDC's ability to locate any shared keying material which in turn prohibits the construction of the ticket. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 03, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- " For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used." joe, I'm not sure that I know the reason for this. Can you help? (Book versions appreciated! :o) Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 02, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the "misses" are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to "yesterday" and move them to an "expired" OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Garello, > Kenneth > Sent: 02 June 2005 13:45 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] lastlogontimestamp- > > Steve, > > Thanks for the alternate view. Unfortunately, our business policy is > not that simple. We basically allow for lifetime email as long as the > account is active. > Do you simply delete the account when a student becomes inactive? > What determines enrollment at your school? (This is a problem in many > other areas of the butsiness - did a student leave or is he just not > taking classes) > > I would still like to understand what a "remote NTLM Authentication" > is. > > > Ken > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Rochford > Sent: Thursday, June 02, 2005 8:17 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] lastlogontimestamp- > > Is it possible to approach this from another way? Do you have any > access to enrolled student data? If so, then it might be easier to > delete students who are no longer enrolled rather than try and work > out those who haven't logged on. > > I have a script that runs at regular intervals and pulls a listing of > all student accounts in the AD (and before someone starts worrying, > yes, I do use paging :-)) For each account I then run the function > below which returns true if the student is still enrolled and false if > not. The web page it calls is on a "public" server and it provides > very basic info about the student or "N/A" if they're not enrolled. > > You obviously need someone in your student records section to provide > you with such a web page but it shouldn't be a big job for them to do > and it then means you can clear accounts for students who are > regularly using the system but shouldn't be! (We have an occasional > problem with students who try to use the college as a free "internet > café"!) > > Steve > > function CheckStudent(id) > Set oXML = CreateObject("Msxml2.ServerXMLHTTP") > oXML.Open "GET", > "http://server.cnwl.ac.uk/checkstatus.asp?id="; & id, False > oXML.setRequestHeader "Content-Type", > "application/x-www-form-urlencoded" > oXML.Send > if oXML.responseText="N/A" then > CheckStudent=false > else > CheckStudent=true > end if > Set oXML = nothing > end function > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Garello, > > Kenneth > > Sent: 01 June 2005 14:05 > > To: ActiveDir@mail.activedir.org > > Cc: Toro, Pedro; Poueriet, Jorge > > Subject: RE: [ActiveDir] lastlogontimestamp- > > > > David, > > > > After researching, I was unable to decipher what a "remote NTLM > > Authentication" is. Can you give me an example of this? > > I am trying to come up with an effective account deletion > policy in a > > school with high turnover. > > > > > > Thanks, > > > > Ken > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
