How can you find Inactive Users

There are couple attributes that define the last time a user logged on to the system :

  • LastLogon
  • LastLogonDate
  • LastLogonTimeStamp
  • ms-DS-LastSuccessfulInteractive-Logon-Time (New in win 2008 FL)

First (LastLogon): it shows the last time a user logged on to a specific DC . This attribute is not replicated to all DC so it is hard to use it when finding inactive users.

LastLogonTimeStamp : is an Integer8 attribute that you should look at when determining the inactive users as it replicates to all domain controllers. It is important to note that the value can only be trusted if it is more than 14 days in the past, which is fine for finding old unused accounts. This behavior reduces the synchronization load while still giving administrators the information they need.Actually, the 14 day value can be modified by assigning a new value to the new msDS-LogonTimeSyncInterval attribute (in days). When a user logs on, if the current value of lastLogonTimeStamp is older than the current time less msDS-LogonTimeSyncInterval, then the value of lastLogonTimeStamp is updated (and this updated value replicates).

The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts.

Interactive and Network logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met :

1. (Assuming the value of the ms-DS-Logon-Time-Sync-Interval is at the default of 14)

2. User logs on to the domain

3. The lastLogontimeStamp attribute value of the user is retrieved

4. 14 – (Random percentage of 5) = X

5. Current date – value of lastLogontimeStamp = Y

6. X ≤ Y – update lastLognTimeStamp

7. X > Y – do not update lastLogontimeStamp

LastLogonDate : is not an individual attribute by itself , it is only a representation of the (LastLogonTimeStamp) in a readable view .So you can use this attribute for your query .In other words , The LastLogonDate property method converts the value of the lastLogonTimeStamp attribute into the corresponding date in the local time zone. In my time zone.

ms-DS-LastSuccessfulInteractive-Logon-Time (New in win 2008 FL) : is new in windows 2008 domain controllers , and it shows the most accurate time when the user logon on interactively to a system .It doesn’t show which system the user logged on , but it will give you an accurate indication when the user last logged on interactively to a system. The reason why you cannot use this attribute while filtering inactive users, is that service account don’t usually log on interactively and thus , they don’t update this value .

2 comments on “How can you find Inactive Users

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s