The world's most trusted forum on Active Directory Security

Post Info TOPIC: Active Directory Logon Audit


Posts: 1
Date: Aug 12, 2013
Active Directory Logon Audit

Hello Forum,

I would like to know if there is an easy way to perform an Active Directory Logon Audit.

One of my clients has a PCI compliance requirement to identify and document stale user accounts in Active Directory, and they're definining staleness as 90 days, so I need to put together a list of all Active Directory accounts that have not logged in last 90 days.

My understanding is that to do so, I need to look at the lastLogon attribute on each of the Domain Controllers in the client's domain, then compare the timestamps to determine the true last logon value of each of these accounts.

The challenge is that this client has over 30 domain controllers, and over 1000 accounts in their Active Directory, so I'm not looking forward to making 30,000 comparisons myself. That would be super boring and painful, and not something I signed up to do.

(I am a Network Admin, but am relatively new to AD management. I've been doing traditional Windows security administration for years, but AD is a little new to me, so I apologize if this is too simple a question.)

Anyway, I'm sure this is a common requirement for many businesses, so would appreciate any pointers on easy/automated ways to do this. I have a reasonable budget to fulfill this need, but need to do this quickly.

Thank you for any help anyone can provide.




Posts: 16
Date: Oct 9, 2013
RE: Active Directory Logon Audit

Hi Alan,

Indeed, this is a very common requirement for most AD admins, because we all need to be able to audit inactive user accounts at some point or the other, for various reasons.

In your case, since the time interval you are interested in exceeds 14 days, you may not need to query all the DCs, but could query a replicated DC for the lastLogonTimestamp value, so you could write a script to query the AD for all domain user accounts whose lastLogonTimestamp value exceeds 90 days.

The only challenge in writing such a script is the syntax of this attribute as I believe it is a 64-bit (8 byte integer) so you may have to figure out how to read the contents of this attribute, as well as how to build your LDAP filter to denote a value of 90 days in the expected syntax.

If you're good with scripting, I think this should be helpful. Just be sure to thoroughly test your scripts out as the last thing anyone wants is incorrect results from binding to the wrong DC, or setting the wrong value for the attribute, or accidentally making other mistakes etc.




Posts: 5
Date: Oct 9, 2013
RE: Active Directory Logon Audit

Scripting is certainly an option, but I have found that the biggest problem is maintaining the scripts and ensuring that no one modifies them, either by accident or on purpose. (One time we had a situation where a colleague changed the script, just for kicks, resulting in wrong values of course, and there was no way of knowing until he mentioned it.)

Better to use dedicated tools to do this, than to write, test, maintain and protect scripts.


لا مصيبة أعظم من الجهل (There is no calamity greater than ignorance)

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me