1. (Assuming the value of the ms-DS-Logon-Time-Sync-Interval is at the default of 14)
2. User logs on to the domain
3. The lastLogontimeStamp attribute value of the user is retrieved
4. 14 - (Random percentage of 5) = X
5. Current date - value of lastLogontimeStamp = Y
6. X ≤ Y - update lastLognTimeStamp
7. X > Y - do not update lastLogontimeStamp
Why the Randomization?
This randomization is done to prevent an update of the
lastLogontimeStamp
attribute from many accounts at the same time causing a high replication load on the DC's. Remember the purpose of the
lastLogontimeStamp
attribute is locate inactive accounts not provide real-time logon information.
Controlling the update frequency of
lastLogontimeStamp
.
It is possible to change the frequency of updates to the
lastLogon
Time stamp or turn it off completely if desired. If you need a different time interval you will need to adjust the value of the msDS-LogonTimeSyncInterval attribute to a value between 5-100,000. Yes that’s right: the max value is 100,000 days… Or if you prefer ~280 years... And the max value was set in code not in the schema. (I guess the dev was counting on medical science to solve that pesky aging problem.)
In my experience the default settings can accommodate almost anyone and there is no need to change the update interval. Most customers I have talked to start considering accounts potentially inactive at the 30 day or higher mark of inactivity.
Note: If the
msDS-LogonTimeSyncInterval
is less than 5 days, the randomization is not put into effect.
How do I turn this thing off?
If you want to disable the
lastLogontimeStamp
feature set the msDS-LogonTimeSyncInterval attribute to 0.
I personally have never spoken with anyone that really had a business need to change how often
lastLogontimeStamp
needs to be updated. Once it was explained how the update process works and it was proven that the attribute is current and replicated to all DC’s that was all that was needed. If really think you need a more recent timestamp than 9-14 days for inactive account detection I suggest you make small changes and monitor DC workloads. This is especially true in large environments.
=======================================
Clearing up the confusion - Verifying that
LastLogontimeStamp
is in sync across all DCs in the domain.
Many times customers will be concerned about what their tools are displaying to them (usually a very old date) as the
lastLogontimeStamp
of a user compared to what they know to be a more accurate date. This is almost always due to the admin using a tool that queries the
lastLogon
attribute instead of the
lastLogontimeStamp
attribute.
For example acctinfo.dll that is included with the Account Lockout tools will display the
lastLogon
attribute data not the
lastLogontimeStamp
data. In some cases the date the tool reports may be months or years out of date or display nothing at all. This is because they are querying the
lastLogon
attribute and the user they are looking up has either never been authenticated by the reference DC (in the case of null) or has not been authenticated by the reference DC in a very long time.
How to tell if
lastLogontimeStamp
is in sync
To verify if the lastLogon Time stamp is being updated and replicated as expected you can use repadmin.exe with the showattr switch. Some examples are given below. These examples are intended to demonstrate that lastLogontimeStamp is being updated within the window of 9-14 days and replicated to all DC’s in the domain. They are not an example of how to manage stale accounts.
1. Using repadmin to check the value of lastLogontimeStamp on all DC's in a domain for one user:
repadmin /showattr * (DN of the target user) /attrs: lastLogontimeStamp > lastLogontimeStamp .txt
Example:
repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs: lastLogontimeStamp > lastLogontimeStamp .txt
2. Using repadmin to dump the lastLogontimeStamp for all users in a domain including users that have no data in the lastLogontimeStamp attribute:
repadmin /showattr * /subtree /filter:"(&(objectCategory=Person)(objectClass=user))" /attrs: lastLogontimeStamp > lastLogontimeStamp .txt
3. Dump lastLogon Time stamp for users but only ones that have the attribute populated
repadmin /showattr * dc=domain,dc=com /subtree /filter:"((&( lastLogontimeStamp =*)(objectCategory=Person)(objectClass=user)))" /attrs: lastLogontimeStamp > lastLogontimeStamp -2-22-2009.txt
- Warren ‘For Once not DFSR’ Williams
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.