|
IT security analysts and IT administrators often have a need, for internal audit or regulatory compliance reporting, to determine the last time a user used their Active Directory domain user account to logon. For instance, last logon values are required to generate and furnish a list of stale domain user accounts.
Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon. To be perfectly accurate, this attribute also exists on Computer accounts.
In theory an IT administrator could simply read this value and report it as the user's last logon time. However, it turns out that lastLogon is not a replicated attribute, meaning that Active Directory does not replicate its value amongst the various Domain Controllers (DC) of the domain. In fact, this value for the same user account is different on each domain DC.
Thus, in practice, in order to determine a domain user account's true last logon time, IT administrators need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time.
The actual last user logon value is also commonly referred to as True Last Logon.
Syntactically, the value is stored as an 8-byte integer (meaning that it is a 64 bit number) and represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. This date is in Coordinated Universal Time (UTC).
Thus there are two steps to determining the true last logon time of a domain user account. The first step involves obtaining the value from each DC in the domain, and the second step involves comparing these values (taking into account Integer8 syntax) to arrive at the true last logon value for the user.
IT administrators and IT security analysts can either write their own scripts to determine the True Last Logon value for user accounts, or use 3rd party scripts (often untested or unreliable though). Alternatively, they can also use paid or free 3rd party tools to generate Last Logon reports.
There is a Microsoft-endorsed Active Directory Reporting Tool, called Gold Finger, from Paramount Defenses that can be used to to generate True Last Logon reports for user and computer accounts at the touch of a button.
The following is a demo of the Microsoft-endorsed Gold Finger reporting solution for Active Directory, which can be used to instantly accurate True Last Logon reports in Active Directory environments –
To view this demo in a new window, click here.
––––
NOTE: For Active Directory domains running and Windows Server 2003 functional levels, there is a new attribute called lastLogonTimeStamp that is replicated and thus can be read from any DC, but the downside is that it is only updated during a user logon if the old value is more than 14 days in the past. It is thus neither 100% accurate nor reliable if it is at least 14 days in the past. Note however that this 14 day interval can be configured to a lesser value, but that is outside the scope of this article.
|
