Last Logon Time

Last Logon Time

Post by Bryan D. Jarnagi » Sun, 06 Apr 2003 02:24:35



This may sound simple to some, but it's been whooping me
for two days. I need to determine the last logon date for
all of the users in my domain. I have found that Last
Logon information is not replicated between the DC's as
part of the user info. I am having to to gather user
information from all 7 domain controllers and compare the
lists for last logon time. This is very time consuming.
Does anyone know of a faster way to accomplish this task?

Bryan D. Jarnagin

 
 
 

Last Logon Time

Post by Snowdo » Sun, 06 Apr 2003 17:00:58


Upgrade to Windows 2003. When the domain is in Windows 2003 mode the last
logon attribute is replicated to all the DC's in the domain. I know this is
not a good answer, but I don't know of any others. You could try exporting
AD out with csvde on each DC and specify the attributes you want so it does
not export all of them. That way it would be a little easier to compare the
logon attribute.

Snowdog



Quote:> This may sound simple to some, but it's been whooping me
> for two days. I need to determine the last logon date for
> all of the users in my domain. I have found that Last
> Logon information is not replicated between the DC's as
> part of the user info. I am having to to gather user
> information from all 7 domain controllers and compare the
> lists for last logon time. This is very time consuming.
> Does anyone know of a faster way to accomplish this task?

> Bryan D. Jarnagin


 
 
 

Last Logon Time

Post by MJ » Mon, 07 Apr 2003 02:37:21


How many users do you have in your domain?

The process of using a script to do this depends on how many users you have.
If you have a relatively small number (circa 1000), then you can use a
script to just hit each dc for each user, and get the latest time. This
script is easy to write, but results in a ton of LDAP bind operations and
thus runs a little slower than your other option.

If you have a larger number of users, or poor connectivity between the
domain controllers, you are likely better off going the route of dumping the
data from each DC into a spreadsheet or database and then comparing the data
after the last export.

You don't mention what your end goal is, meaning do you want to know exactly
when each user has last logged in, or are you looking for a threshold like
"show me all users that have not logged in for 30 days." The difference
being if the later is what you are looking for, you can reduce the amount of
data you need to look at by excluding all those users that have changed
their password in the last 30 days. The password age attribute is replicated
between DC's, so this could be a method to reduce the number of records that
need to be looked at.

Is this something you are looking to accomplish using VBScript / JScript /
WSF, or are you open to using something like .NET Framework + C# or VB.NET?

MJ


> Upgrade to Windows 2003. When the domain is in Windows 2003 mode the last
> logon attribute is replicated to all the DC's in the domain. I know this
is
> not a good answer, but I don't know of any others. You could try exporting
> AD out with csvde on each DC and specify the attributes you want so it
does
> not export all of them. That way it would be a little easier to compare
the
> logon attribute.

> Snowdog



> > This may sound simple to some, but it's been whooping me
> > for two days. I need to determine the last logon date for
> > all of the users in my domain. I have found that Last
> > Logon information is not replicated between the DC's as
> > part of the user info. I am having to to gather user
> > information from all 7 domain controllers and compare the
> > lists for last logon time. This is very time consuming.
> > Does anyone know of a faster way to accomplish this task?

> > Bryan D. Jarnagin