0 votes

Hello!

I am on version 2013.1 FYI.

When I view a specific OU and view columns such as 'Last logon' and 'last logon timestamp' the dates/times are inconsistent. What's the reason for that?

Ultimately, I wanted to compare the 'last logon' to 'whenCreated' to do a bit of a cleanup in AD.

Thanks

Melinda

by (1.7k points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Melinda,

The thing is that there are 2 attributes in AD to identify when an account logged last time: Last Logon (LDAP name lastLogon) and Last-Logon-Timestamp (LDAP name lastLogonTimestamp). The Last Logon attribute was introduced in Windows 2000 Server, and Last-Logon-Timestamp was introduced a bit later, in Windows Server 2003. There are 2 differences between the attributes:

  1. Last Logon is not replicated, while Last-Logon-Timestamp is. This means that if you have multiple Domain Controllers (DCs) in your environment, on each DC the value of the Last Logon attribute will be different for the same account. On each DC, the value of the attribute will indicate the last time date/time when an account logged on to that particular DC.
  2. Last Logon is updated each time a user logs on, while Last-Logon-Timestamp is not. Active Directory uses a special algorithm to determine whether to update the value of the Last-Logon-Timestamp attribute or not.

For more information, have a look at the following articles on MSDN:

Also, if you want to perform some sort of cleanup in your AD, we suggest using the built-in Inactive User Deleter and Inactive Computer Deleter Scheduled Tasks. The tasks allow you to delete inactive users/computers from Active Directory on a certain periodic basis. For information on how to configure the deletion of inactive accounts, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ectory.htm.

Both the tasks use the If is inactive <period> condition. The condition allows you to check whether a user or computer account is inactive for a certain period of time.

To determine for how long an account is inactive, Adaxes compares the value of the When Created attribute to the values of the following attributes:

  • Last-Logon-Timestamp
  • Password Last Set

Also, Adaxes tries to ping the computers that appear to be inactive for a long time based on the attributes.

0

got it.

0

hello -

i'd like to have a report of inactive account for x amt of days.
we don't want to do anything with the accounts yet, just want to get some information.
can you provide a powershell script that will report the results from a sch task that determines the accounts inactivity for 90days?

thanks

0

Hello,

Actually, there is such a script in our SDK. Have a look at Example 4: Generating and emailing an AD report under Script Examples in the following SDK article: http://www.adaxes.com/sdk/?ServerSideSc ... ptExamples.

0

thanks. just so I'm clear, and because its for a specific OU, I would change the baseDN to include the OU that it runs against?

0

Hello,

Yes.

Related questions

0 votes
1 answer

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.1k points)
0 votes
1 answer

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3, 2022 by adaxes_user2 (40 points)
0 votes
1 answer

Are there any plans to add the ability to select columns to sort results? i.e. when I look in my "Users" OU it would be really handy to be able to sort by job title or department or any other AD attribute. Running 2013.2.

asked Jan 30, 2014 by hutchingsp (240 points)
0 votes
1 answer

Hello, When a user account is created, we would like for that user to be added to a group whose name is based on a certain naming convention. If the group doesn't yet exist ... If that group doesn't exist, it will first create the group and then add the user.

asked Mar 11 by sjjb2024 (40 points)
0 votes
1 answer

We used to run AD Audit and it would provide additional details on what was locking a user's account (workstation name, application, etc...). Is there are way with Adaxes ... on what is locking an account? Or a way to pull historical data on locked accounts?

asked Nov 16, 2020 by pulsifers (20 points)
3,326 questions
3,025 answers
7,724 comments
544,678 users