I am using C#, directoryservice to query AD. How can i get last logon date of a user from AD? I need to disable the account if the user not log in for more than 90 days.
There are two attributes for this in Active Directory:
lastLogon refers to the last logon for the specific server you're querying. This date may be different for different servers (domain controllers), and for some it may be null/empty. This attribute is not replicated.
lastLogonTimestamp refers to the last logon for all servers. This attribute is replicated, which means that all servers have the same value. Only problem is that the default synchronization is 14 days on this attribute which may be too long.
So... either you configure the replication interval - which is typically not recommended, because it will render a lot of traffic! Or you use the common approach to determine the *true* last logon:
Ask every DC in turn for their value on lastLogon and then pick up the max value from that. This is the most safe method I'd say.
There's even an article on CodeProject which will explain exactly how to do this, and how to interpret the lastLogon time format:
Note: If you don't want to do this in code, there are third-party tools to do this kind of cleanup already.
dsquery, for instance, is able to do the finding for you. Also,
joeware has a number of AD tools that can be useful in this scenario.
Good luck!
If this post was useful to you, please mark it as answer. Thank you!
blue_thunder
0 Points
11 Posts
Get Last Logon date from the active directory using C#
Jun 12, 2008 09:03 AM|LINK
Hi,
I am using C#, directoryservice to query AD. How can i get last logon date of a user from AD? I need to disable the account if the user not log in for more than 90 days.
Help much appreciated!
Cheers..
Active Directory C#
johram
All-Star
28531 Points
3567 Posts
Re: Get Last Logon date from the active directory using C#
Jun 12, 2008 12:43 PM|LINK
There are two attributes for this in Active Directory:
lastLogon refers to the last logon for the specific server you're querying. This date may be different for different servers (domain controllers), and for some it may be null/empty. This attribute is not replicated.
lastLogonTimestamp refers to the last logon for all servers. This attribute is replicated, which means that all servers have the same value. Only problem is that the default synchronization is 14 days on this attribute which may be too long.
So... either you configure the replication interval - which is typically not recommended, because it will render a lot of traffic! Or you use the common approach to determine the *true* last logon:
Ask every DC in turn for their value on lastLogon and then pick up the max value from that. This is the most safe method I'd say.
There's even an article on CodeProject which will explain exactly how to do this, and how to interpret the lastLogon time format:
http://www.codeproject.com/KB/security/LastLogonAcrossAllWindows.aspx
Also here's an article on Microsoft which will give you an insight to how it works: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx
Note: If you don't want to do this in code, there are third-party tools to do this kind of cleanup already. dsquery, for instance, is able to do the finding for you. Also, joeware has a number of AD tools that can be useful in this scenario.
Good luck!
blue_thunder
0 Points
11 Posts
Re: Get Last Logon date from the active directory using C#
Jun 16, 2008 02:27 AM|LINK
Hi,
Its been great help. Working now. Tks :)
Cheers