StackAccel

≡ Menu

AD: How to Determine the Last Logon time of users

AD: How to Determine the Last Logon time of users post image

Your ability to determine last logon time really depends on the AD level that you’re at.

For information on the below attributes (and more), check here.

Pre-2003 AD: You can’t do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime 

If you’re not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then usew32tm /ntte to convert the stamp into a readable format… Date, Hour:min:second.

adfind -h DC1:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC1.txt

adfind -h DC2:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC2.txt

… and so on for each DC.

To convert lastlogon time, take the time stamps for the user’s that you’re interested in and convert them…

w32tm /ntte value1
w32tm /ntte value2

… and so on.

Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC – so it’s a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.

Get Free Email Updates!

If you liked this article, you’ll LOVE the newsletter

Sign-up for the newsletter, and we’ll send you useful and exclusive content that doesn’t get posted to the site. No spam. Ever. Unsubscribe at any time.

1 comment… add one

  1. Nick,

    It’s good to know that function of w32tm — but you can use the -tdc switch to adfind to have it do the conversion for you, avoiding the possibility of transcription errors:

    c:\> adfind -h DC2:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon -tdc

    Reply

Leave a Comment

Visit Us On Twitter