Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Jun 16, 2008 02:27 AM by blue_thunder
Jun 12, 2008 09:03 AM|LINK
I am using C#, directoryservice to query AD. How can i get last logon date of a user from AD? I need to disable the account if the user not log in for more than 90 days.
Help much appreciated!
Jun 12, 2008 12:43 PM|LINK
There are two attributes for this in Active Directory:
lastLogon refers to the last logon for the specific server you're querying. This date may be different for different servers (domain controllers), and for some it may be null/empty. This attribute is not replicated.
lastLogonTimestamp refers to the last logon for all servers. This attribute is replicated, which means that all servers have the same value. Only problem is that the default synchronization is 14 days on this attribute which may be too long.
So... either you configure the replication interval - which is typically not recommended, because it will render a lot of traffic! Or you use the common approach to determine the *true* last logon:
Ask every DC in turn for their value on lastLogon and then pick up the max value from that. This is the most safe method I'd say.
There's even an article on CodeProject which will explain exactly how to do this, and how to interpret the lastLogon time format:
Also here's an article on Microsoft which will give you an insight to how it works:
Note: If you don't want to do this in code, there are third-party tools to do this kind of cleanup already.
dsquery, for instance, is able to do the finding for you. Also,
joeware has a number of AD tools that can be useful in this scenario.
Jun 16, 2008 02:27 AM|LINK
Its been great help. Working now. Tks :)