0 votes

Hello!

I am on version 2013.1 FYI.

When I view a specific OU and view columns such as 'Last logon' and 'last logon timestamp' the dates/times are inconsistent. What's the reason for that?

Ultimately, I wanted to compare the 'last logon' to 'whenCreated' to do a bit of a cleanup in AD.

Thanks

Melinda

by (1.7k points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello Melinda,

The thing is that there are 2 attributes in AD to identify when an account logged last time: Last Logon (LDAP name lastLogon) and Last-Logon-Timestamp (LDAP name lastLogonTimestamp). The Last Logon attribute was introduced in Windows 2000 Server, and Last-Logon-Timestamp was introduced a bit later, in Windows Server 2003. There are 2 differences between the attributes:

  1. Last Logon is not replicated, while Last-Logon-Timestamp is. This means that if you have multiple Domain Controllers (DCs) in your environment, on each DC the value of the Last Logon attribute will be different for the same account. On each DC, the value of the attribute will indicate the last time date/time when an account logged on to that particular DC.
  2. Last Logon is updated each time a user logs on, while Last-Logon-Timestamp is not. Active Directory uses a special algorithm to determine whether to update the value of the Last-Logon-Timestamp attribute or not.

For more information, have a look at the following articles on MSDN:

Also, if you want to perform some sort of cleanup in your AD, we suggest using the built-in Inactive User Deleter and Inactive Computer Deleter Scheduled Tasks. The tasks allow you to delete inactive users/computers from Active Directory on a certain periodic basis. For information on how to configure the deletion of inactive accounts, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ectory.htm.

Both the tasks use the If is inactive <period> condition. The condition allows you to check whether a user or computer account is inactive for a certain period of time.

To determine for how long an account is inactive, Adaxes compares the value of the When Created attribute to the values of the following attributes:

  • Last-Logon-Timestamp
  • Password Last Set

Also, Adaxes tries to ping the computers that appear to be inactive for a long time based on the attributes.

0

got it.

0

hello -

i'd like to have a report of inactive account for x amt of days.
we don't want to do anything with the accounts yet, just want to get some information.
can you provide a powershell script that will report the results from a sch task that determines the accounts inactivity for 90days?

thanks

0

Hello,

Actually, there is such a script in our SDK. Have a look at Example 4: Generating and emailing an AD report under Script Examples in the following SDK article: http://www.adaxes.com/sdk/?ServerSideSc ... ptExamples.

0

thanks. just so I'm clear, and because its for a specific OU, I would change the baseDN to include the OU that it runs against?

0

Hello,

Yes.

Related questions

0 votes
1 answer

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3 by adaxes_user2 (20 points)
0 votes
1 answer

Are there any plans to add the ability to select columns to sort results? i.e. when I look in my "Users" OU it would be really handy to be able to sort by job title or department or any other AD attribute. Running 2013.2.

asked Jan 30, 2014 by hutchingsp (240 points)
0 votes
1 answer

We used to run AD Audit and it would provide additional details on what was locking a user's account (workstation name, application, etc...). Is there are way with Adaxes ... on what is locking an account? Or a way to pull historical data on locked accounts?

asked Nov 16, 2020 by pulsifers (20 points)
0 votes
1 answer

I need to run a PowerShell on accounts that are 90 days or older. Would that be "if the 'When Created' is greater then or queal to '%datetime,-90d%'" or "if the 'When Created' is less then or queal to '%datetime,-90d%'"

asked Jun 1, 2020 by hgletifer (1.2k points)
0 votes
0 answers

Before Deactivation of an Account on the Webinterface our Help Desk need to change the AD User Description manually. Is it possible to force a manual change before deactivation ?

asked Feb 7, 2020 by lv01 (20 points)
2,740 questions
2,474 answers
6,475 comments
1,372,039 users