RE: [ActiveDir] LastlogonTimestamp Missing
Title: Re: [ActiveDir] List Groups I'm In? Even though this is a forest built on Server 2003, you probably still have to raise the domain/forest functional levels to 2003; this is probably not the default functional level. LastLogonTimestamp is one of the attributes that didnt appear until functional level 2003. tdoan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 9:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben
RE: [ActiveDir] LastlogonTimestamp Missing
Title: Re: [ActiveDir] List Groups I'm In? What is the domain mode/ forest mode? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben
RE: [ActiveDir] LastlogonTimestamp Missing
Are you in DFL2? Just building an R2 forest from scratch won't set your functional levels, you still have to switch from mixed to native, then your domains to DFL2 and then your forest to FFL2. Though lastLogonTimestamp will start getting populated for your domains as you hit DFL2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, October 25, 2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: LastlogonTimestamp Missing I have a Windows 2003 R2 single domain/forest. This domain/forest was built upon Windows 2003 R2 so it has never had to go through any upgrades. I wanted to query for the true last logon time/date for various users and noticed that the LastlogonTimestamp is not an available attribute for the user accounts. The standard non-replicated LastLogon attribute is there, but I would obviously be more interested in the replicated LastlogonTimestamp. The LastlogonTimestamp schema attribute has been defined and it is listed as a systemmaycontain of the user class. C:\adfind -sc scontainsl:lastlogontimestamp user Is there any reason why the LastlogonTimestamp attribute would not be appearing for user accounts? From what I understand, the LastlogonTimestamp attribute may not be instantiated on user accounts if the user accounts have not logged on since a domain has been upgraded to Windows 2003, however since this domain/forest was built upon Windows 2003 R2 this is not the case. Any ideas on how to get this attribute instantiated properly on the user accounts? ~Ben attachment: winmail.dat
RE: [ActiveDir] lastlogontimestamp-
For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. joe, I'm not sure that I know the reason for this. Can you help? (Book versions appreciated! :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 02, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server
RE: [ActiveDir] lastlogontimestamp-
Kerberos requires that a principal name (SPN) be specified in order to locate keying material (computer accounts in AD speak) necessary to secure (encrypt) the ticket content (primarily the PAC) both in transit and within the ticket cache of the requesting user. Since IP addresses are not registered as SPNs (far too chatty), the use of an IP address prohibits the ability to identify the target computer's computer object thereby preventing the KDC's ability to locate any shared keying material which in turn prohibits the construction of the ticket. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 03, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. joe, I'm not sure that I know the reason for this. Can you help? (Book versions appreciated! :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 02, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote
RE: [ActiveDir] lastlogontimestamp-
Bingo. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, June 03, 2005 8:28 AM To: Send - AD mailing list Subject: RE: [ActiveDir] lastlogontimestamp- Kerberos requires that a principal name (SPN) be specified in order to locate keying material (computer accounts in AD speak) necessary to secure (encrypt) the ticket content (primarily the PAC) both in transit and within the ticket cache of the requesting user. Since IP addresses are not registered as SPNs (far too chatty), the use of an IP address prohibits the ability to identify the target computer's computer object thereby preventing the KDC's ability to locate any shared keying material which in turn prohibits the construction of the ticket. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 03, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. joe, I'm not sure that I know the reason for this. Can you help? (Book versions appreciated! :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 02, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes
RE: [ActiveDir] lastlogontimestamp-
Thanks to the both of you. Much appreciated and the answer was more interesting than I initially thought it might be. Explains a few things that I've seen in Sec Logs and wasn't quite certain what they were. Now, I know. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 03, 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Bingo. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, June 03, 2005 8:28 AM To: Send - AD mailing list Subject: RE: [ActiveDir] lastlogontimestamp- Kerberos requires that a principal name (SPN) be specified in order to locate keying material (computer accounts in AD speak) necessary to secure (encrypt) the ticket content (primarily the PAC) both in transit and within the ticket cache of the requesting user. Since IP addresses are not registered as SPNs (far too chatty), the use of an IP address prohibits the ability to identify the target computer's computer object thereby preventing the KDC's ability to locate any shared keying material which in turn prohibits the construction of the ticket. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 03, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. joe, I'm not sure that I know the reason for this. Can you help? (Book versions appreciated! :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 02, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original
RE: [ActiveDir] lastlogontimestamp-
Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve function CheckStudent(id) Set oXML = CreateObject(Msxml2.ServerXMLHTTP) oXML.Open GET, http://server.cnwl.ac.uk/checkstatus.asp?id=; id, False oXML.setRequestHeader Content-Type, application/x-www-form-urlencoded oXML.Send if oXML.responseText=N/A then CheckStudent=false else CheckStudent=true end if Set oXML = nothing end function -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 01 June 2005 14:05 To: ActiveDir@mail.activedir.org Cc: Toro, Pedro; Poueriet, Jorge Subject: RE: [ActiveDir] lastlogontimestamp- David, After researching, I was unable to decipher what a remote NTLM Authentication is. Can you give me an example of this? I am trying to come up with an effective account deletion policy in a school with high turnover. Thanks, Ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve function CheckStudent(id) Set oXML = CreateObject(Msxml2.ServerXMLHTTP) oXML.Open GET, http://server.cnwl.ac.uk/checkstatus.asp?id=; id, False oXML.setRequestHeader Content-Type, application/x-www-form-urlencoded oXML.Send if oXML.responseText=N/A then CheckStudent=false else CheckStudent=true end if Set oXML = nothing end function -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 01 June 2005 14:05 To: ActiveDir@mail.activedir.org Cc: Toro, Pedro; Poueriet, Jorge Subject: RE: [ActiveDir] lastlogontimestamp- David, After researching, I was unable to decipher what a remote NTLM Authentication is. Can you give me an example of this? I am trying to come up with an effective account deletion policy in a school with high turnover. Thanks, Ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve function CheckStudent(id) Set oXML = CreateObject(Msxml2.ServerXMLHTTP) oXML.Open GET, http://server.cnwl.ac.uk/checkstatus.asp?id=; id, False oXML.setRequestHeader Content-Type, application/x-www-form-urlencoded oXML.Send if oXML.responseText=N/A then CheckStudent=false else CheckStudent=true end if Set oXML = nothing end function -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 01 June 2005 14:05 To: ActiveDir@mail.activedir.org Cc: Toro, Pedro; Poueriet, Jorge Subject: RE: [ActiveDir] lastlogontimestamp- David, After researching, I was unable to decipher what a remote NTLM Authentication is. Can you give me an example of this? I am trying to come up with an effective account deletion policy in a school with high turnover. Thanks, Ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] lastlogontimestamp-
Steve, I have just verified that OWA is updating the lastlogontimestamp (Win2003 AD, exchange2003 sp1) which is what I was most concerned with. The other issues (stored token) should be few and far between so the six month lag should be good enough to catch it. I think we are going to remove the mailbox and then move the Active directory account to a special OU pretty much as you are doing. We seem to have a lot of account re-enables 2 months after we delete them. Thanks for your time, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve function CheckStudent(id) Set oXML = CreateObject(Msxml2.ServerXMLHTTP) oXML.Open GET, http://server.cnwl.ac.uk/checkstatus.asp?id=; id, False oXML.setRequestHeader Content-Type, application/x-www-form-urlencoded oXML.Send if oXML.responseText=N/A then CheckStudent=false else CheckStudent=true end
RE: [ActiveDir] lastlogontimestamp-
That's great info... and timely. I need to implement something like this here too. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: Thursday, June 02, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, I have just verified that OWA is updating the lastlogontimestamp (Win2003 AD, exchange2003 sp1) which is what I was most concerned with. The other issues (stored token) should be few and far between so the six month lag should be good enough to catch it. I think we are going to remove the mailbox and then move the Active directory account to a special OU pretty much as you are doing. We seem to have a lot of account re-enables 2 months after we delete them. Thanks for your time, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve
RE: [ActiveDir] lastlogontimestamp-
A remote NTLM Auth would be a remote authentication of a user for a resource that uses NTLM authentication because kerberos for some reason or another can't be used. For instance... If you connect to a resource via IP, kerberos will not be used, instead passthrough NTLM will be used. In this case neither lastLogon NOR lastLogonTimeStamp will be updated. These attributes also aren't updated for successful simple LDAP binds as well. Well there is an exception here. If you send bad creds, then follow them up with good creds, you will get the attribute stamped. This is something that seems to bite people doing AD Cleanups, they will have IDs that are only used for simple AD Auths and the lastlogon never gets updated which makes it seem like the accounts aren't being used even though they could be authenticating hundreds of times a minute. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- As I understand it, remote NTLM authentication is when someone doesn't log on by doing CTRL ALT DEL and putting in a username/password but accesses some resource which either prompts for username/password (perhaps a web page or email program) or uses the stored token. This doesn't update the lastlogontimestamp. I think you need a plan C for checking the email stuff. How will students access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access to this then you know who's accessing the email and (effectively) who's not accessing the email - if you have a policy that you must access the email at least once per month then you just check the logs each month, build a list of those who have accessed; match this against your total list of users and the misses are the ones who are now inactive. Most of our funding depends on proving that students enrol, attend courses and take and pass exams so our student records people are quite good at keeping accurate lists - auditors pick up on things if they get it wrong! Students can enrol to many courses at any time of the year and also drop out, leave or get kicked out at any time of the year. If the leaving is planned (eg they move away from London) then they are removed cleanly from the system; if they just don't turn up for classes for a certain number of weeks (it varies but I think it's about 4-6) then they get withdrawn. There's no point for us leaving a student on the system if they're not showing for classes - we don't get the funding for them (and if we leave them on the system but they don't take the exam then that looks even worse - we taught a student for a whole year and they failed at the end.) What we actually do with the student accounts is to set the expiry date to yesterday and move them to an expired OU. If it turns out that (eg) they were sick but didn't get round to calling then it's easy to just re-instate the account. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garello, Kenneth Sent: 02 June 2005 13:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Steve, Thanks for the alternate view. Unfortunately, our business policy is not that simple. We basically allow for lifetime email as long as the account is active. Do you simply delete the account when a student becomes inactive? What determines enrollment at your school? (This is a problem in many other areas of the butsiness - did a student leave or is he just not taking classes) I would still like to understand what a remote NTLM Authentication is. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, June 02, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Is it possible to approach this from another way? Do you have any access to enrolled student data? If so, then it might be easier to delete students who are no longer enrolled rather than try and work out those who haven't logged on. I have a script that runs at regular intervals and pulls a listing of all student accounts in the AD (and before someone starts worrying, yes, I do use paging :-)) For each account I then run the function below which returns true if the student is still enrolled and false if not. The web page it calls is on a public server and it provides very basic info about the student or N/A if they're not enrolled. You obviously need someone in your student records section to provide you with such a web page but it shouldn't be a big job for them to do and it then means you can clear accounts for students who are regularly using the system but shouldn't be! (We have an occasional problem with students who try to use the college as a free internet café!) Steve
RE: [ActiveDir] lastlogontimestamp-
David, After researching, I was unable to decipher what a remote NTLM Authentication is. Can you give me an example of this? I am trying to come up with an effective account deletion policy in a school with high turnover. Thanks, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, May 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In 2003 RTM lastLogonTimeStamp gets updated during Kerberos authentications and interactive NTLM authentications. Remote NTLM auths do not cause it to be updated. There was talk to get this changed in SP1. -Original Message- To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
You are ascribing more power to me than I possess, Rick :p There is no known way to get Joe's head to be bigger than it currently is. It's sooo big it has its own separate zip/area code :-0 Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 5/29/2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- note to Deji You just made joe's head bigger... /note to Deji Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. note to self Got to read more. /note to self Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] lastlogontimestamp-
I'm staying out of it. I'll let you guys settle it. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 30, 2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hey I was simply agreeing with Diane, she is the one that knew it was wrong. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, May 29, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- note to Deji You just made joe's head bigger... /note to Deji Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. note to self Got to read more. /note to self Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] lastlogontimestamp-
Right. There was a hotfix that *should* have made it into SP1. Just not near it to confirm at the moment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, May 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In 2003 RTM lastLogonTimeStamp gets updated during Kerberos authentications and interactive NTLM authentications. Remote NTLM auths do not cause it to be updated. There was talk to get this changed in SP1. -Original Message- To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
Hey I was simply agreeing with Diane, she is the one that knew it was wrong. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, May 29, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- note to Deji You just made joe's head bigger... /note to Deji Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. note to self Got to read more. /note to self Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you
RE: [ActiveDir] lastlogontimestamp
Title: Message
I have
seen the same discrepancy. There is a newer dll (acctinfo2.dll) available
now. I don't know if it rectifies this particular issue, but it does allow
the Additional Account Info tab to appear ina users properties that was
returned as a result of a query.
Andrew Gould
-Original
Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith,
RobinSent: Friday, May 27, 2005 2:31 PMTo:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir]
lastlogontimestamp
Hi. Our domain is at the
Windows 2003 server functional level. I have registered acctinfo.dll from the
2003 resource kit and have the Additional Account Info tab in ADUC. I am finding
a big discrepancy between the lastlogontimestamp date
on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script:
Set objUser = GetObject("LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts,
dc=njdol, dc=ad, dc=dol")
Set objLastLogon = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 1000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo "Last logon time: " intLastLogonTime + #1/1/1601#
(code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx)
I get a much more current
date (5-25-05). This is happening with more than one user. Any explanation for
why this happens. I've done a lot of reading this week and I understand that the
lastlogontimestamp field could be off by 7-10 days but
this is several months.
Thanks,
Robin
NJDOL
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please reply to this message and let the sender know.
RE: [ActiveDir] lastlogontimestamp
Title: Message Hi Andrew Where can I get the acctinfo2.dll? Would be nice to have J Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gould, Andrew D. Sent: Saturday, May 28, 2005 2:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp I have seen the same discrepancy. There is a newer dll (acctinfo2.dll) available now. I don't know if it rectifies this particular issue, but it does allow the Additional Account Info tab to appear ina users properties that was returned as a result of a query. Andrew Gould -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please reply to this message and let the sender know.
RE: [ActiveDir] lastlogontimestamp
Where can I get the acctinfo2.dll? On someone here's suggestion, I just asked our TAM for it and an engineer sent it to me. Excerpt from instructions- One of the most common problems reported with the original version of ACCTINFO.DLL, was the fact that it didn't appear as an option when users were returned as the result of a query. The reason for this is that version 1 was a property page extension, and it was only available when you navigated to a user and selected them. The new version, version 2, is a Display Specifier. This requires a DLL be registered (like a normal COM component) and the Display specifier for the locale you are in to be updated in the configuration container. The LDAP path to this object is: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ocean,DC =com To allow ACCTINFOV2.DLL to load when a user is returned from a search, either the LDAP path above needs to be updated (recommended) or if updating the forest-wide configuration container is not possible, you may be able to hijack another control. (to get it to run on an individual machine) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Hi Andrew Where can I get the acctinfo2.dll? Would be nice to have J Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gould, Andrew D. Sent: Saturday, May 28, 2005 2:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp I have seen the same discrepancy. There is a newer dll (acctinfo2.dll) available now. I don't know if it rectifies this particular issue, but it does allow the Additional Account Info tab to appear in a users properties that was returned as a result of a query. Andrew Gould -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.m spx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please reply to this message and let the sender know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp
Split the difference, grab adfind from www.joeware.net in the free windows tools
section and see what it decodes the values to. I can't speak to acctinfo dll as
I never used it. _vbscript_ decoding of int8 values is often troublesome, it is
possible the code below isn't doing a very accurate decode, I haven't checked
it. I can guarantee adfind is doing it well with the possible debate
aroundDST issues and what really should be displayed (should it be a value
that was accurate at the time or a value accurate after a DST switch).
The most accurately returned values I have seen for
_vbscript_ have been out of code Richard Mueller has put
together.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith,
RobinSent: Friday, May 27, 2005 2:31 PMTo:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir]
lastlogontimestamp
Hi. Our domain is at the
Windows 2003 server functional level. I have registered acctinfo.dll from the
2003 resource kit and have the Additional Account Info tab in ADUC. I am finding
a big discrepancy between the lastlogontimestamp date
on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I
execute the following script:
Set objUser = GetObject("LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts,
dc=njdol, dc=ad, dc=dol")
Set objLastLogon = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 1000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo "Last logon time: " intLastLogonTime + #1/1/1601#
(code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx)
I get a much more current
date (5-25-05). This is happening with more than one user. Any explanation for
why this happens. I've done a lot of reading this week and I understand that the
lastlogontimestamp field could be off by 7-10 days but
this is several months.
Thanks,
Robin
NJDOL
RE: [ActiveDir] lastlogontimestamp-
Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All --- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros - , but if I wanted to use this vbscript to give -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, May 27, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Split the difference, grab adfind from www.joeware.net in the free windows tools section and see what it decodes the values to. I can't speak to acctinfo dll as I never used it. Vbscript decoding of int8 values is often troublesome, it is possible the code below isn't doing a very accurate decode, I haven't checked it. I can guarantee adfind is doing it well with the possible debate around DST issues and what really should be displayed (should it be a value that was accurate at the time or a value accurate after a DST switch). The most accurately returned values I have seen for vbscript have been out of code Richard Mueller has put together. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
I thought that net user /dom queries lastlogon, which is not rep'ed, not lastlogontimestamp? Also, lastlogontimestamp is only updated if it changed a week or more ago. so it could always be a week off.. Medeiros, Jose wrote: Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All --- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros - , but if I wanted to use this vbscript to give -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, May 27, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Split the difference, grab adfind from www.joeware.net in the free windows tools section and see what it decodes the values to. I can't speak to acctinfo dll as I never used it. Vbscript decoding of int8 values is often troublesome, it is possible the code below isn't doing a very accurate decode, I haven't checked it. I can guarantee adfind is doing it well with the possible debate around DST issues and what really should be displayed (should it be a value that was accurate at the time or a value accurate after a DST switch). The most accurately returned values I have seen for vbscript have been out of code Richard Mueller has put together. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I understand that the lastlogontimestamp field could be off by 7-10 days but this is several months. Thanks, Robin NJDOL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All --- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros - , but if I wanted to use this vbscript to give -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, May 27, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Split the difference, grab adfind from www.joeware.net in the free windows tools section and see what it decodes the values to. I can't speak to acctinfo dll as I never used it. Vbscript decoding of int8 values is often troublesome, it is possible the code below isn't doing a very accurate decode, I haven't checked it. I can guarantee adfind is doing it well with the possible debate around DST issues and what really should be displayed (should it be a value that was accurate at the time or a value accurate after a DST switch). The most accurately returned values I have seen for vbscript have been out of code Richard Mueller has put together. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes a lastlogontimestamp of 11/23/04 in ADUC. However, if I execute the following script: Set objUser = GetObject(LDAP://cn=John Doe, ou=MOET (g14), ou=Field Users, ou=LWD Accounts, dc=njdol, dc=ad, dc=dol) Set objLastLogon = objUser.Get(lastLogonTimestamp) intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart intLastLogonTime = intLastLogonTime / (60 * 1000) intLastLogonTime = intLastLogonTime / 1440 Wscript.Echo Last logon time: intLastLogonTime + #1/1/1601# (code was taken from here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.m spx) I get a much more current date (5-25-05). This is happening with more than one user. Any explanation for why this happens. I've done a lot of reading this week and I
RE: [ActiveDir] lastlogontimestamp-
Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All --- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros - , but if I wanted to use this vbscript to give -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, May 27, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp Split the difference, grab adfind from www.joeware.net in the free windows tools section and see what it decodes the values to. I can't speak to acctinfo dll as I never used it. Vbscript decoding of int8 values is often troublesome, it is possible the code below isn't doing a very accurate decode, I haven't checked it. I can guarantee adfind is doing it well with the possible debate around DST issues and what really should be displayed (should it be a value that was accurate at the time or a value accurate after a DST switch). The most accurately returned values I have seen for vbscript have been out of code Richard Mueller has put together. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Robin Sent: Friday, May 27, 2005 2:31 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] lastlogontimestamp Hi. Our domain is at the Windows 2003 server functional level. I have registered acctinfo.dll from the 2003 resource kit and have the Additional Account Info tab in ADUC. I am finding a big discrepancy between the lastlogontimestamp date on the Additional Account Info tab and the actual lastlogontimestamp date. For example, John Doe shoes
RE: [ActiveDir] lastlogontimestamp-
In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12:57 PM Logon hours allowed All --- However If I wanted to use this complex VBscript to do the same thing tyhat a simple dos command can do, how would I add a wildcard to this vbscript that show's all the user logons and have it dump the output in a text file? Regards, Jose Medeiros
RE: [ActiveDir] lastlogontimestamp-
In 2003 RTM lastLogonTimeStamp gets updated during Kerberos authentications and interactive NTLM authentications. Remote NTLM auths do not cause it to be updated. There was talk to get this changed in SP1. -Original Message- To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
That explains the change. Thank you for sharing this. Jose :-) - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set3/16/2005 6:52 PM Password expires 6/14/2005 6:52 PM Password changeable 3/16/2005 6:52 PM Password requiredYes User may change password Yes Workstations allowed All Logon script CISCO123.bat User profile Home directory Last logon 5/27/2005 12
RE: [ActiveDir] lastlogontimestamp-
In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active
RE: [ActiveDir] lastlogontimestamp-
Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent
RE: [ActiveDir] lastlogontimestamp-
I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. note to self Got to read more. /note to self Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser
