Adaxes

Inactive User Deaktivator

0 votes

Hi Forum,

i have a question about the Scheduled Task "Inactive User Deaktivator". We've set up this task to disable Users inactive for more than 4 Weeks. This task runs once a Week. Sometimes it happens that users are deaktivated before that 4 Weeks (e.g. User was on vaction from July 30th - August 23th and was deaktivated). Can you tell me why this happen?

Thanks a lot.

by (650 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

To determine for how long a user account has been inactive, Adaxes uses the following attributes:

  • Last-Logon-Timestamp
  • Password Last Set

The issue can be caused by the fact that the Last-Logon-Timestamp attribute is not updated each time a user logs in to your AD domain. As stated by Microsoft in this article:

Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.

Thus, for example, if the Last-Logon-Timestamp attribute was last updated, say, 2 weeks before a user went on a vacation, then the account was inactive during the time of the vacation, this already makes more than 4 weeks of inactivity.

To avoid such situations, you can, for example, extend the period in the Scheduled Task to something more than 4 weeks or modify the msDS-LogonTimeSyncInterval attribute of your AD domain in order for the Last-Logon-Timestamp attribute to be updated more often.

0

Hi Adaxes Support,

Thanks for your answer. But for me this is still not clear. I've also read this information about the LastLogonTimestamp attribute. For me this means, that this attribute is updated between 9 - 19 Days (14 +/- 5 Days). The user was away for 25 Days so the Last-Logon-Timestamp must be updated within this period (from the DC) - hopefully you understand what i mean. If i select 4 Weeks in the inactive Period - are this 28 to 31 Days?

Maybe it has something to do with the password? The Userpassword expired while he was out of the office (90 Days).

Thanks for your help.

by (650 points)
0

Hello again,

4 weeks means 28 days. The password expiration has nothing to do with this. In order to determine account inactivity period, Adaxes checks only the date when a user's password was changed last time.

As for the Last-Logon-Timestamp attribute, in our mind, the situation was something like as follows. Proceeding from your example, the last time when a user logged in was July 29th. At that time, the value of the Last-Logon-Timestamp attribute was something like July 21st, for example. Since the attribute is updated each 9-14 days, on July 29th it wasn't updated, since only 8 days had passed since the previous update. Then, the user didn't log in between July 30th to August 23rd, and the attribute wasn't updated either.

Thus, in the above example, the attribute wasn't updated from July 22nd to August 23rd, which is over a month, though the user was actually absent only from July 30th to August 23rd. Does the picture get clearer now? :)

by (216k points)
0

Hi Support,

thanks a lot for this answer. I thought, that the DC will update the Last-Logon-Timestamp itself after that period of time (not triggered to a User logon/logoff). So this means that the Last-Logon-Timestamp Attribute is updated every 9-14 Days only if there's a User Logon/Logoff.

This makes it clear now.

Thanks a lot for your help.

by (650 points)

Related questions

0 votes
1 answer
What is the criteria for an inactive User account?

I know it is based on an attribute held in adaxes. What info does adaxes look at to determine the date? Just want to understand how the cake is baked.

asked Dec 26, 2022 by mightycabal (1.0k points)
0 votes
1 answer
Inactive users allowed to log in - No Sign-in information for Azure AD user

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
0 votes
1 answer
[Help] Inactive User Report not working

Tried using the following script below found in another thread here but get an error message from Adaxes saying that the cmdlet is not valid -- Import-Module Adaxes $email = " ... or if a path was included, verify that the path is correct and try again.

asked Nov 27, 2017 by adriank (100 points)
0 votes
0 answers
Inactive user task not working as expected

We have an inactive user task which runs daily that disables accounts after 30 days of inactivity. We had an example yesterday of a user account which had been disabled ... Are you able to provide any explanation of how this could have happened? Regards Andy

asked Sep 12, 2017 by Andy_W (40 points)
0 votes
1 answer
Definition of an Inactive User

Hello, We're trying to automate disabling inactive users and I have a question about the built in scheduled task discussed here: http://www.adaxes.com/tutorials_Automat ... yUsers. ... 12 weeks from? Creation date of the user account or the user's last logon?

asked Jun 30, 2016 by drew.tittle (810 points)
3,351 questions
3,052 answers
7,793 comments
545,111 users