Cooking with Active Directory
Pages: 1, 2
Recipe 6.27: Determining a User's Last Logon Time
TIP: This recipe requires the Windows Server 2003 forest functional level.
You want to determine the last time a user logged into a domain.
Using a graphical user interface
If you install the AcctInfo.dll extension to Active Directory Users and Computers, you can view the last logon timestamp.
TIP: AcctInfo.dll can be downloaded from the Microsoft download site:
- Open the Active Directory Users and Computers snap-in.
- In the left pane, right-click on the domain and select Find.
- Select the appropriate domain beside In.
- Beside Name, type the name of the user you want to modify and click Find Now.
- In the Search Results, double-click on the user.
- Click the Additional Account Info tab.
- View the value for Last-Logon-Timestamp.
' This code prints the last logon timestamp for a user. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) set objLogon = objUser.Get("lastLogonTimestamp") intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart intLogonTime = intLogonTime / (60 * 10000000) intLogonTime = intLogonTime / 1440 WScript.Echo "Approx last logon timestamp: " & intLogonTime + #1/1/1601#
Trying to determine when a user last logged on has always been a challenge
in the Microsoft NOS environment. In Windows NT, you could retrieve
a user's last logon timestamp from a PDC or BDC, but this timestamp
was the last time the user logged on to the PDC or BDC. That means in
order to determine the actual last logon, you'd have to query every
domain controller in the domain. In large environments, this wasn't
practical. With Windows 2000 Active Directory, things did not improve
lastLogon attribute is used to store the last logon
timestamp, but unfortunately, this attribute isn't replicated. So again,
to get an accurate picture, you'd have to query every domain controller
in the domain for the user's last logon attribute and keep track of
the most recent one.
Now with Windows Server 2003, we finally have a viable solution. A new
attribute was added to the schema for
user objects called
lastLogonTimestamp. This attribute is similar to the
attribute that was available previously, with two distinct differences.
First, and most importantly, this attribute is replicated. That means
when a user logs in, the
lastLogonTimestamp attribute will
get populated and then replicate to all domain controllers in the domain.
The second difference is that since
replicated, special safeguards needed to be put in place so that users
that logged in repeatedly over a short period of time did not cause
unnecessary replication traffic. For this reason, the
is updated only if the last update occurred a week or more ago. This
means that the
lastLogonTimestamp attribute could be up
to a week off in terms of accuracy with a user's actual last logon.
Ultimately, this shouldn't be a problem for most situations because
lastLogonTimestamp is intended to address the common problem
where administrators want to run a query and determine which users have
not logged in over the past month or more.
"Finding Users Who Have Not Logged On Recently."
Be sure to check back to this space in two weeks for more recipes from Active Directory Cookbook on modifying an attribute for several users at once and viewing the nested members of a group.
Return to ONDotnet.com