How to determine the True Last Logon Value in Active Directory

IT administrators often need to determine the last time a user may used their Active Directory domain user account to logon. To do so, IT administrators need to query the Active Directory and obtain the values of the attribute that stores this value on domain user accounts.
In fact, Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon. However, this is not a replicated attribute, which means that Active Directory does not replicate its value amongst all the DCs of a domain.
Thus, in practice, in order to determine a domain user account's true last logon time, IT administrators need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time. The actual last user logon value is also commonly referred to as True Last Logon in Active Directory.
IT administrators often write scripts to make this determination or use 3rd party scripts. The problem with writing scripts is that they are prone to error and are time-consuming to customize and maintain, and the problem with unsupported using 3rd party scripts is that they are not reliable and thus cannot always be trusted to deliver the accurate values every time. Accuracy is very important because many a time, these reports are furnished as evidence to demonstrate the regulatory compliance and constitute a part of Active Directory compliance reports.
The best alternative then is to use reliably 3rd party tools that completely automate this process and that can be trusted. Care must be taken however to ensure that these tools are from a trustworthy vendor and that they are developed by proficient developers and as far as possible built in the USA.

No comments:

Post a Comment