Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Question about Active Directory and last time user has logged on

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 29 Aug 2007 08:59:38 -0400
Using either method, make sure you poll the time from the last domain
controller the person logged into (normally this is fairly consistent,
but it can be different); or make sure you are using Windows Server 2003
domain/forest functional level. Without Windows Server 2003
domain/forest functional level, the LastLogon (or LastLogonTimestamp
depending on the tool you are using) doesn't propagate around an Active
Directory network to all domain controllers, so you have to go to the
last domain controller logged on to.

There are several tools that can help, including:

Acctinfo.dll (download from Microsoft.com/download) (very cool AD Users
and Computers add-in to have anyway)

Sysinternals' ADExplorer
http://www.microsoft.com/technet/sysinternals/utilities/adexplorer.mspx
(go to the user's account and find the lastlogon and lastlogontimestamp
values)

NTLast by Foundstone can help,
http://www.foundstone.com/us/resources-free-tools.asp (uses Event Log
records, and all domain logons should be recorded at the domain
controller where the user logged on to)

There are many other tools that can help you extract the
lastlogontimestamp but they are escaping my brain at the moment.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Tuesday, August 28, 2007 6:56 PM
To: Mary Hendrix
Cc: security-basics () securityfocus com
Subject: Re: Question about Active Directory and last time user has
logged on

On 8/28/07, Mary Hendrix <maryhendrix () gmail com> wrote:

Is there a way to find out the last time a user has logged into a

domain?

If you have AD, then the following LDAP attribute holds the last logon
time:

{lastLogon}

You can extract that using a simple vbscript.

Note: The returned value will be the NT System time. To convert to
regular time use the following:
w32tm /ntte {returned int}

saqib
http://security-basics.blogspot.com/
Previous By Date Next
Previous By Thread Next

Current thread: