Security Basics mailing list archives
RE: Question about Active Directory and last time user has logged on
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 29 Aug 2007 08:59:38 -0400
Using either method, make sure you poll the time from the last domain controller the person logged into (normally this is fairly consistent, but it can be different); or make sure you are using Windows Server 2003 domain/forest functional level. Without Windows Server 2003 domain/forest functional level, the LastLogon (or LastLogonTimestamp depending on the tool you are using) doesn't propagate around an Active Directory network to all domain controllers, so you have to go to the last domain controller logged on to. There are several tools that can help, including: Acctinfo.dll (download from Microsoft.com/download) (very cool AD Users and Computers add-in to have anyway) Sysinternals' ADExplorer http://www.microsoft.com/technet/sysinternals/utilities/adexplorer.mspx (go to the user's account and find the lastlogon and lastlogontimestamp values) NTLast by Foundstone can help, http://www.foundstone.com/us/resources-free-tools.asp (uses Event Log records, and all domain logons should be recorded at the domain controller where the user logged on to) There are many other tools that can help you extract the lastlogontimestamp but they are escaping my brain at the moment. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... *email: roger () banneretcs com or rogrim () microsoft com *Author of Windows Vista Security: Security Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ******************************************************************* -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Tuesday, August 28, 2007 6:56 PM To: Mary Hendrix Cc: security-basics () securityfocus com Subject: Re: Question about Active Directory and last time user has logged on On 8/28/07, Mary Hendrix <maryhendrix () gmail com> wrote:
Is there a way to find out the last time a user has logged into a
domain? If you have AD, then the following LDAP attribute holds the last logon time: {lastLogon} You can extract that using a simple vbscript. Note: The returned value will be the NT System time. To convert to regular time use the following: w32tm /ntte {returned int} saqib http://security-basics.blogspot.com/
Current thread:
- Question about Active Directory and last time user has logged on Mary Hendrix (Aug 28)
- RE: Question about Active Directory and last time user has logged on Quiroz, Genaro (GE, Corporate, consultant) (Aug 28)
- Re: Question about Active Directory and last time user has logged on Ali, Saqib (Aug 28)
- RE: Question about Active Directory and last time user has logged on Roger A. Grimes (Aug 29)
- RE: Question about Active Directory and last time user has logged on John Hammond (Aug 29)
- RE: Question about Active Directory and last time user has logged on CPS Tech Support (Aug 29)
- Re: Question about Active Directory and last time user has logged on Nikhil Wagholikar (Aug 30)
- <Possible follow-ups>
- Re: Re: Question about Active Directory and last time user has logged on jacques . itmagic (Aug 29)
- RE: Re: Question about Active Directory and last time user has logged on Roger A. Grimes (Aug 30)
- Re: Question about Active Directory and last time user has logged on jenna (Aug 30)
- RE: Question about Active Directory and last time user has logged on Osvaldo Casagrande (Aug 31)
- Re: Question about Active Directory and last time user has logged on Deno Vichas (Aug 31)
- Re: Re: Question about Active Directory and last time user has logged on djtim (Aug 31)
- Re: Re: Question about Active Directory and last time user has logged on jasonr_22 (Aug 31)
(Thread continues...)