Your ability to determine last logon time really depends on the AD level that you’re at.
For information on the below attributes (and more), check here.
Pre-2003 AD: You can’t do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime
If you’re not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then usew32tm /ntte to convert the stamp into a readable format… Date, Hour:min:second.
adfind -h DC1:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC1.txt
adfind -h DC2:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon >DC2.txt
… and so on for each DC.
To convert lastlogon time, take the time stamps for the user’s that you’re interested in and convert them…
w32tm /ntte value1
w32tm /ntte value2
… and so on.
Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC – so it’s a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.
1 comment… add one
It’s good to know that function of w32tm — but you can use the -tdc switch to adfind to have it do the conversion for you, avoiding the possibility of transcription errors:
c:\> adfind -h DC2:389 -b dc=domain, dc=local -f “objectcategory=person” lastlogon -tdc