Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jwelsh

Still Checking the Forum Out
Registered:
Posts: 7
Reply with quote  #1 
From time to time I'm asked to get the last logon time of every user in our domain. As far as I know, the only accurate way to do this is to query each domain controller and compare the last logon timestamp.  The problem is we are growing, up to almost 70,000 user accounts and there are 12 domain controllers, thus I have to make roughly 840,000 queries. When I researched it, I found the I could use the PoshRSJobs module to do this in parallel.

So, I wrote a script that gets all the user accounts and then pipes that to a Start-RSJob that has the commands to take an account and check with each DC to gather the account into. Currently it takes roughly 16-18 hours to run form a dedicated VM.  It works and it gives me the info I am needing but would like to pose the following questions.

Am I approaching this correctly? Is there a better way to find the last logon of an account? I'd like to get this down to under 6 hours.
0
JeffHicks

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 35
Reply with quote  #2 
The way I've handled this in the past is to track all of this essentially out-of-band. I setup a database that users have write access to, then use a logon script that records the user name, date, time and computer they logged on to in the database.  You might also ask in the AD forum about the best property to query. There are several and if I recall some replicate, some do not, and some need a specific version of Windows or AD.
__________________
Jeff Hicks Author ~ Trainer ~ Guru
Cloud and Datacenter Management MVP



0
jwelsh

Still Checking the Forum Out
Registered:
Posts: 7
Reply with quote  #3 
This is similar to an idea Mark had a couple months ago when it came up in conversation. To basically query each DC on a regular basis, store the info offline, then the script comes along and compiles it all.
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 171
Reply with quote  #4 
You could try subscribing to the AD events on the dedicated vm, and go from there.


__________________
Have SpaceSuit, Will Travel

0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #5 
> Is there a better way to find the last logon of an account?

If you can live with a delay of 14 days, there is a better way. Research lastLogonTimeStamp. It is a replicated attribute so you only have to read it on a single DC. But it gets updated only after a delay of 14 days to keep replication traffic down. More to read: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

In reply to Jeff: this works on all domains with Domain Functional Level of 2003 or higher. I should hope that this has a 100% hitrate by now.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
JeffHicks

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 35
Reply with quote  #6 
That's what I was thinking of. This is a problem that goes back to Windows 2000 if not further. You'd think there would be a much, much easier and more accurate way by now.
__________________
Jeff Hicks Author ~ Trainer ~ Guru
Cloud and Datacenter Management MVP



0
jwelsh

Still Checking the Forum Out
Registered:
Posts: 7
Reply with quote  #7 
I think we looked at LastLogonTimeStamp and it wasn't acceptable for some reason so it was decided to query each dc for each account to get the LastLogon was the best way.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #8 
It would be interesting to know why lastLogonTimeStamp is not acceptable. But given that it's not...

- a possible optimization would be to run the lastLogon query locally on each DC (remoting) to take out the network factor. Collect the resulting dataset (XML?) on an admin serves, combine them and analyse it for results. Possible risk: DC load.

- option: the fastest query tool that I know is ldifde. Combine with the remoting option?

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 171
Reply with quote  #9 
For me, i'd turn on auditing and do log shipping and query the logs.
If you put that info in a database you could get the results in seconds

__________________
Have SpaceSuit, Will Travel

0
netmarcos

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 12
Reply with quote  #10 
Somewhere in my archives I have an old .vbs that queries every DC and compiles the true last logon for you . If anybody wants it, I can go dig it out of the archives.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 934
Reply with quote  #11 
I've been watching and reading this as its gone on with great interest.

In the back of my head I think that ELSA will track these events 
It needs a bit of configuring etc 
https://code.google.com/p/enterprise-log-search-and-archive/

I've never deployed ELSA by itself, I've always deployed Security Onion which has included it, and then tuned it for the work we've been interested in, mostly IDS/ IPS, but who logged in, where, when etc falls within that remit as well.
https://security-onion-solutions.github.io/security-onion/


Security Onion boxes don't tend to use a lot of RAM/ CPU but eat disk like, well a IPD/ IDS logger.
Might be another option for you to look at. 



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.