Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Question about Active Directory and last time user has logged on

from [Roger A. Grimes] Network Security [Permanent Link]
Subject: RE: Question about Active Directory and last time user has logged on
Date: Wed, 29 Aug 2007 08:59:38 -0400 
Using either method, make sure you poll the time from the last domain
controller the person logged into (normally this is fairly consistent,
but it can be different); or make sure you are using Windows Server 2003
domain/forest functional level. Without Windows Server 2003
domain/forest functional level, the LastLogon (or LastLogonTimestamp
depending on the tool you are using) doesn't propagate around an Active
Directory network to all domain controllers, so you have to go to the
last domain controller logged on to.

There are several tools that can help, including:

Acctinfo.dll (download from Microsoft.com/download) (very cool AD Users
and Computers add-in to have anyway)

Sysinternals' ADExplorer
http://www.microsoft.com/technet/sysinternals/utilities/adexplorer.mspx
(go to the user's account and find the lastlogon and lastlogontimestamp
values)

NTLast by Foundstone can help,
http://www.foundstone.com/us/resources-free-tools.asp (uses Event Log
records, and all domain logons should be recorded at the domain
controller where the user logged on to)

There are many other tools that can help you extract the
lastlogontimestamp but they are escaping my brain at the moment.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@banneretcs.com or rogrim@microsoft.com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ali, Saqib
Sent: Tuesday, August 28, 2007 6:56 PM
To: Mary Hendrix
Cc: security-basics@securityfocus.com
Subject: Re: Question about Active Directory and last time user has
logged on

On 8/28/07, Mary Hendrix <maryhendrix@gmail.com> wrote:

Is there a way to find out the last time a user has logged into a

domain?

If you have AD, then the following LDAP attribute holds the last logon
time:

{lastLogon}

You can extract that using a simple vbscript.

Note: The returned value will be the NT System time. To convert to
regular time use the following:
w32tm /ntte {returned int}

saqib
http://security-basics.blogspot.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: any recommendable anti-ddos solution?, Vijay K
Next by Date:  What is the best way to lock a local box on a network?, Martin Tran
Previous by Thread:  Re: Question about Active Directory and last time user has logged on, Ali, Saqib
Next by Thread:  RE: Question about Active Directory and last time user has logged on, John Hammond
Indexes:  [Date] [Thread] [Top] [All Lists]