Recipe 15.9. Finding a Domain User s Last Logon Time

Recipe 15.9. Finding a Domain User's Last Logon Time

Problem

You want to determine the last time a user logged in to a domain. This recipe requires that your Active Directory forest is at the Windows Server 2003 forest functional level.

Solution

Using a graphical user interface

If you install the AcctInfo.dll extension to Active Directory Users and Computers, you can view the last logon timestamp:

1. Open the Active Directory Users and Computers snap-in (dsa.msc).

2. In the left pane, right-click on the domain and select Find.

3. Select the appropriate domain beside In.

4. Beside Name, type the name of the user you want to modify and click Find Now.

5. In the Search Results, double-click on the user.

6. Click the Additional Account Info tab.

7. View the value for Last-Logon-Timestamp.

AcctInfo.dll can be downloaded from the Microsoft download site: http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Using VBScript

' This code prints the last logon timestamp for a domain user. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"  ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) set objLogon = objUser.Get("lastLogonTimestamp") intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart  intLogonTime = intLogonTime / (60 * 10000000) intLogonTime = intLogonTime / 1440 WScript.Echo "Approx last logon timestamp: " & intLogonTime + #1/1/1601#

Discussion

Trying to determine when a user last logged on has always been a challenge in the Microsoft NOS environment. In Windows NT, you could retrieve a user's last logon timestamp from a PDC or BDC, but this timestamp was the last time the user logged on to the PDC or BDC. That means in order to determine the actual last logon, you'd have to query every domain controller in the domain. In large environments this wasn't practical. With Windows 2000 Active Directory, things did not improve much. A lastLogon attribute is used to store the last logon timestamp, but unfortunately this attribute isn't replicated. So again, to get an accurate picture, you'd have to query every domain controller in the domain for the user's last logon attribute and keep track of the most recent one.

Now with Windows Server 2003 we finally have a viable solution. A new attribute was added to the schema for user accounts called lastLogonTimestamp. This attribute is similar to the lastLogon attribute that was available previously, with two distinct differences. First, and most importantly, this attribute is replicated. That means when a user logs in, the lastLogonTimestamp attribute gets populated and then replicates to all domain controllers in the domain.

The second difference is that since lastLogonTimestamp is replicated, Microsoft needed to put in special safeguards to ensure that a user can repeatedly login over a short period of time, without any impact on replication. For this reason, the lastLogonTimestamp is updated only if the last update occurred a week or more ago. This means that the lastLogonTimestamp attribute could be up to a week off in terms of accuracy with a user's actual last logon. Ultimately this shouldn't be a problem for most situations because lastLogonTimestamp is intended to address the common problem where administrators want to run a query and determine which users have not logged in over the past month, or more.

See Also

Recipe 6.28 of Active Directory Cookbook (O'Reilly) for finding users that have not logged on recently in a domain