Thursday, March 22, 2012

LastLogonTimestamp for Group Members

I was recently working in a secure environment and one of the issues was way too many domain admin accounts.  This is not a problem just in secure environment.  I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins.  I've seen Joe Richards write about working at a Fortune 5 company where they ran with less than 5 domain administrators.  More and more organizations are trying to limit domain admins.  I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.

The first step the security team took was to identify members of the domain admin group and the last time they logged in.  This is a good initial step to remove those that haven't logged on or used their accounts.  If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.

Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll.  They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet.  I knew there were easier ways to do this so I stepped in to help out.

For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days.  The link to the askds blog entry on LLTS does a great job of explaining it.  If 9-14 days is not acceptable then you would have to query lastlogon on every DC.  Lastlogon does not replicate and that is why every DC would have to be queried.

For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group.  I've only logged in with one of those users.

Method 1 - Using ADFIND

Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.  

adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv 


Method 2 - Using Quest AD Powershell Cmdlets

Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.  

get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp


Method 3 - Using Microsoft's AD Powershell v2 Cmdlets

With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell.  There is already a lot of good information about the AD Module for Powershell so I won't go over that here.   I also admit I'm not a powershell master/guru.

get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate


If you noticed I used lastlogondate which is not an actual AD attribute.  My friend Richard Mueller had a good writeup on lastlogondate.    See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp


Method 4 - Using CSVDE

CSVDE is what you call an old school tool.  Those that have been around AD for years have definitely used the tool at some point.  It was around before adfind and powershell. 


csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp  


One problem with the CSVDE method is how it handles the output.   LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle.  You will notice in methods 1-3 those tools did a good job of decoding the attribute.

Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.

Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula




Method 5 - Using Repadmin

This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here


repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp



Other Methods


I really like methods 1-3 the best.  There are other methods that I have not included here but I figured five is a good start for anyone.  Some other things you might see out there


  • VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
  • Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet.  I'm guessing that is something that can be done but haven't tried to do it yet.   The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.

You can use these examples and modify them if you are looking for other groups.  There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide.  More to come on that.

I'm really looking forward to hearing from readers and the community on other methods for doing this.  If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.

Inactive Domain Admins beware....you will be removed :)

2 comments:

  1. We're no longer a Fortune 5 company, but we still have exactly 5 people who hold the EA/DA roles.

    ReplyDelete
  2. Still awesome that you all are doing it with only 5 DAs...that is a kick ass AD!

    ReplyDelete