Hi, as I am not that good in writing custom reports I wanted to ask if its possible to get a report that can be configured for different time ranges (30, 60, 90 etc.. days) for showing inactive accounts. There is already a report, but it just involves the LastLogonTimestamp attribute. There are occasions where this is not updated, but the mailbox is still in use.

Could you give me a hint or an custom report for this?

Thank you very much in advance!

by (40 points)

1 Answer

by (15.9k points)
0 votes

Hello,

When a user signs in to the on-premises Exchange mailbox, the lastLogonTimestamp and lastLogon properties of the corresponding on-premises user are updated. The Inactive users built-in report (located in the Reports/All Reports/Users container by default) considers the following properties when determining whether the user is inactive:

  • whenCreated
  • lastLogonTimestamp
  • lastLogon
  • pwdLastSet

As such, the Inactive users report takes into account sign-ins to the on-premises Exchange mailboxes.

by (40 points)
0

Thanks for the feedback, but this seems no to be true. We have many occasions where there is a LastLogon on the Mailbox, but no LastLogonTimestamp in near present or not at all. So I come to the conclusion that this will be updated everytime, too.

Could you maybe create a report that takes both data in - LastLogonTimestamp and Exchange On Premise Mailbox Last Logon ?

Thank you very much!

by (15.9k points)
0

Hello,

The lastLogon and lastLogonTimestamp properties are both used to write the date/time of the latest logon. However, in Active Directory, the properties are updated and replicated differently. For details, have a look at the following Microsoft forum topic: https://learn.microsoft.com/en-us/answers/questions/698776/last-logon-and-lastlogon-timestamp-difference. As we mentioned, the Inactive users built-in report considers values of both properties when determining whether the user is inactive.

by (40 points)
0

I think you dont understand what I mean. I dont mean the normal "last logon" attribute. I mean the one that gets shown in the exchange section in the web ui. There is often the point that this is quite new and the lastlogontimestamp is 3 months ago. We had moments where we deleted users and the mailbox was still used. Can you please check if you could give me a report that is checking the Lastlogontimstamp and also included the exchange last logon property that is displayed in the exchange section? Please check the attached screenshots. These are 2 different values. Sometimes the Exchange Last Logon will be quite new and the LastLogontimestamp differs a few months. So I need these 2 values to determine the usage of the account/mailbox.

image.png

image.png

by (15.9k points)
0

Hello,

Thank you for clarifying. The Last logon date/time displayed in the Exchange properties of a user mailbox does not always reflect the date/time when the mailbox owner accessed the mailbox. The value is updated even when mailbox delegates or administrators access the mailbox. Considering that, please specify what users must be displayed in the report. Specifically, should inactive Active Directory users (lastLogon and lastLogonTimeStamp properties are older than the specified number of days) with active mailboxes (Last logon in Exchange properties is not older than the specified number of days) be displayed in the report?

by (40 points)
0

Thanks for the info. Yes you are correct with your last sentence regarding the report. Inactive Active Directory users (lastLogon and lastLogonTimeStamp properties are older than the specified number of days) with active mailboxes (Last logon in Exchange properties is not older than the specified number of days) should be displayed in the report. Thank you very much.

by (15.9k points)
0

Hello,

Thank you for specifying. The approach involves requesting the mailbox Last logon date/time for each user. To get the date/time, the mailbox parameters must be requested. This operation is time-consuming even in on-premises Exchange. Generating the report that requests the mailbox Last logon date/time for each user will take a significant time, making the report useless. As such, we suggest a slightly different approach where the mailbox Last logon date/time is saved to a custom date attribute and then used in the report. To save the mailbox Last logon date/time, create a scheduled task configured for the User object type. The task will check whether the user has an Exchange mailbox. If the condition is met, the below PowerShell script will be executed. The script saves the mailbox Last logon date/time to a custom date attribute whose schema name is specified in the $dateAttributeName variable. Finally, the task configuration should look like this: image.png

$dateAttributeName = "adm-CustomAttributeDate1" #TODO: modify me

# Get last logon date from Exchange
$mailboxParams = $Context.TargetObject.GetMailParameters()
$lastLogonDate = $mailboxParams.UsageInfo.LastLogonDate

if ($lastLogonDate -eq [DateTime]::MinValue)
{
    $lastLogonDate = $NULL
}

# Update the user
$Context.TargetObject.Put($dateAttributeName, $lastLogonDate)
$Context.TargetObject.SetInfo()

Then modify the Inactive users built-in report or copy it and modify the new report. In the report configuration, replace the script used to generate the report with the one below. In the script, the $mailboxLastLogonDatePropertyName variable specifies the schema name of the custom date attribute used to store the mailbox Last logon date/time. Must be the same as the value of the $dateAttributeName variable in the script executed by the scheduled task.

$mailboxLastLogonDatePropertyName = "adm-CustomAttributeDate1" #TODO: modify me

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.AddRange(@(
        "userAccountControl", "accountExpires"))
}

# Set search criteria
$threshold = (Get-Date).AddDays(- $days)
$criteria = New-AdmCriteria "user" {(mailboxType -ne "shared") -and (whenCreated -lt $threshold) -and ((lastLogonTimestamp -empty $True) -or (lastLogonTimestamp -eq "unspecified") -or (lastLogonTimestamp -lt $threshold)) -and ((lastLogon -empty $True) -or (lastLogon -eq "unspecified") -or (lastLogon -lt $threshold)) -and ((pwdLastSet -eq "unspecified") -or (pwdLastSet -lt $threshold))}
$Context.DirectorySearcher.AddCriteria($criteria)

# Build the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $user = $Context.BindToObjectBySearchResult($searchResult)

        # Check mailbox last logon date
        $mailboxLastLogonDate = $user.GetPropertyValue($mailboxLastLogonDatePropertyName)

        if($mailboxLastLogonDate -ge $threshold)
        {
            continue
        }

        # Check Active Directory and Entra ID for most recent activity
        $inactivityDuration = $user.GetPropertyValue("adm-InactivityDuration")

        if($inactivityDuration -lt $days)
        {
            continue
        }

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if (-not $styleHighlighted)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

how can i create a report which gives me the details from an exchange mailbox as described in the subject? I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights thank you

asked Feb 22, 2021 by m_st (200 points)
0 votes
1 answer

We have Exchange 2010 OnPrem and Office 365 Exchange Online in a full Hybrid environment. Using AD Active Sync. We have now moved all of our mailboxes to Exchange ... manage the OnPrem Exchange AD Attributes after the last Exchange 2010 server is removed?

asked Jun 1, 2020 by StevePogue (20 points)
0 votes
1 answer

Hi, Is there a simple way to read the Exchange AD attributes without having to use the custom Exchange ADSI interface API? I'm trying to write an Adaxes Scheduled Task ... Limit") - other than the fact that the command doesn't recognise the property! Thanks

asked Aug 19, 2015 by firegoblin (1.6k points)
0 votes
1 answer

I am wanting to export a list of users including the properties of a specific custom attribute. Ideally, I would be able to run a get-admuser and filter on a custom attribute, but even an excel report with the custom attributes would work. Is this possible?

asked Sep 9, 2021 by ggallaway (300 points)
0 votes
1 answer

Is there a way to edit the names of custom fields in forms? For example, I want to create a new field but my only option is use the name Extension Attribute 12. ... rename them within Adaxes so our help desk staff don't get confused when creating profiles.

asked Nov 20, 2018 by john.morrow (270 points)
0 votes
1 answer