LastLogon attribute

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Running AD 2000 with all 2000 DCs. I have 10+ DCs and 2 domains across
multiple sites. Have looked at DNS, WINS, Replication, etc. all looks good.

First, a question. When I pull a list of when a user last logged in,
shouldn't I get an answer from all DCs? I know that attribute is not
replicated, but all of the tools/scripts I have used check every DC. I have
looked at many users and I don't get back last logon information from all the
DCs. Sometimes I get several, sometimes just a few (I can't seem to find a
pattern to this). Any information you can give me would be appreciative.

Second, I am seeing a situation where I have a user account that when I look
through ADSI edit at the last logon value it says <not set>, yet when I look
at the user in ADUC I see a date/time stamp (I have the acctinfo.dll in place
so I have the "Additional Account Info" tab in ADUC). Yes, I have verified
that I am looking at the same DC. I am seeing similar type issues with what
seems like random users on a couple of other DCs also. It is happening in
both domains. Any thoughts? I am just looking for a direction to go with
this.

Thanks
 
MGD said:
Running AD 2000 with all 2000 DCs. I have 10+ DCs and 2 domains across
multiple sites. Have looked at DNS, WINS, Replication, etc. all looks
good.

First, a question. When I pull a list of when a user last logged in,
shouldn't I get an answer from all DCs? I know that attribute is not
replicated, but all of the tools/scripts I have used check every DC. I
have
looked at many users and I don't get back last logon information from all
the
DCs. Sometimes I get several, sometimes just a few (I can't seem to find
a
pattern to this). Any information you can give me would be appreciative.

Second, I am seeing a situation where I have a user account that when I
look
through ADSI edit at the last logon value it says <not set>, yet when I
look
at the user in ADUC I see a date/time stamp (I have the acctinfo.dll in
place
so I have the "Additional Account Info" tab in ADUC). Yes, I have
verified
that I am looking at the same DC. I am seeing similar type issues with
what
seems like random users on a couple of other DCs also. It is happening in
both domains. Any thoughts? I am just looking for a direction to go with
this.
Click to expand...

Because lastLogon is not replicated, a different value will be stored for
each user on each DC. If a user never authenticated to a DC, the lastLogon
attribute for that user on that DC will not have a value set.

I don't know what tools/scripts you are using. I have a sample VBScript
program to retrieve the LastLogon date for all users linked here:

http://www.rlmueller.net/Last Logon.htm

The program first gets a list of all DC's in the domain. Then the script
searches each DC for all users and retrieves the lastLogon attribute values
on that DC. A dictionary object is used to retain the largest (lastest)
value for each user. After all DC's have been queried, we have the true
LastLogon for each user. The lastLogon attribute is Integer8 (a 64-bit
number), so special methods are required to convert the value to date/time
in the local time zone.
 
Richard,

Thanks for the information (fact is I am using your script as one of my
"tools/scripts").

So are you saying that if a user has never logged into a DC (the attribute
shows in ADSI edit on a DC as "<not set >") that DC will not show up in a
list of DCs for that user?

If that is true then the other problem I have just became a big issue.
Using ADSI edit to look at DC1, it shows a value of "not set". Using the
acctinfo.dll and ADUC pointing to DC1 shows a date/time stamp (as far as I
can tell it shows an accurate date/time stamp for when the user last logged
on). The perticular user that I am looking at would and should (and as far
as I can tell does) log into DC1 (that is the one set for his site). Got any
ideas on this?

Thanks
 
Yes, if the user has never authenticated to a DC, the value of lastLogon for
that user on that DC will be <not set>. Generally, the first DC to respond
to authentication request is used at logon. I believe the value of the
LOGONSERVER environment variable is the DC that was used to authenticate.
acctinfo.dll is supposed to display values only from one DC, so it should
not disagree with ADSI Edit (assuming they are both looking at the same DC).
If your domain is at Windows 2003 functional level, the lastLogonTimeStamp
attribute might be used. This attribute is only updated during logon if the
previous value is more than 14 days in the past, but once updated it is
replicated.

I can't explain what you are seeing. It might help to use Joe Richards'
ADFind tool. You can retrieve attribute values easily for any object (or
collection of objects from a query) and specify which DC to use.

http://www.joeware.net/win/free/tools/adfind.htm

For example, to retrieve lastLogon for user TestUser on DC MyServer (default
port 389) in domain MyDomain.com:

adfind -h MyServer:389 -f "sAMAccountName=TestUser" -b dc=MyDomain,dc=com
lastLogon

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

MGD said:
Richard,

Thanks for the information (fact is I am using your script as one of my
"tools/scripts").

So are you saying that if a user has never logged into a DC (the attribute
shows in ADSI edit on a DC as "<not set >") that DC will not show up in a
list of DCs for that user?

If that is true then the other problem I have just became a big issue.
Using ADSI edit to look at DC1, it shows a value of "not set". Using the
acctinfo.dll and ADUC pointing to DC1 shows a date/time stamp (as far as I
can tell it shows an accurate date/time stamp for when the user last
logged
on). The perticular user that I am looking at would and should (and as
far
as I can tell does) log into DC1 (that is the one set for his site). Got
any
ideas on this?

Thanks
Click to expand...
 
Back
Top