Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

Logon information in Active Directory

Why are logon times different from DC to DC?  Isn't last login time an attribute of the user object, and thus replicated to every domain controller?
0
ojfahoum
Asked:
ojfahoum
  • 4
  • 2
1 Solution
 
mikeleebrlaCommented:
do you have an authoritative time server for your domain? this will synch them all up.... the article below tells you how to set it up.

http://support.microsoft.com/default.aspx?scid=216734
0
 
Debsyl99Commented:
Hi
Actually, no it isn't, not in w2k anyway.
See attribute descriptions here:
User Security Attributes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/security_properties.asp

Script to enumerate the most current:
Last Logon Dates
http://www.rlmueller.net/Last%20Logon.htm

Deb :))
0
 
Debsyl99Commented:
For the sake of clarity - As in yes it IS an attribute - but NO it isn't replicated - it's value is held locally on the DC....
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
mikeleebrlaCommented:
deb,, I'll be the first person to admit when im wrong, but i dont think i am here.  Although i think i might have left off part of the solution. My link tells him how to set up a time server.  Then all of his other computers/DCs need to synch to it.  they could us the "command net time /set /y" to do this. I'm not sure what your links even do or do i know why you say. "Actually, no it isn't, not in w2k anyway." My link was straight from MS, how could it be wrong?
0
 
Debsyl99Commented:
Hi Mike

Sorry I posted my response prior to refreshing my browser, so I didn't know you'd posted until I'd submitted.

I think we've just both interpreted the question differently -

I took the question to be referring to the last logon time user attribute showing as being different depending on which dc is being queried, often admins query these to track outdated or unused user accounts - Whilst AD is replicated, there are some attributes that aren't for some reason (MS would know) - the relevant part of my first link (which is msdn) is:

"lastLogon
Non-replicated. The lastLogon attribute specifies when the last logon occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used." - <-- My second link is to a script which does just that - automatically queries dc's for the latest value.

From your posting you're referrring to time differentials between the dc's that would cause time differences, and if that is the issue, then yes you're right with the correct ms article for time syncing. We've just taken two different views of the question and posted at about the same time, but we are both right I think about what we've said.

Deb :))



0
 
ojfahoumAuthor Commented:
I guess my question was a little vague.  Thank you all for your responses.  Deb actually answered my question.  The link to the MSDN stuff was exactly what I needed.  I was trying to figure out what was replicated and what was not across DCs in terms of users and logins.

Again thank you all for the responses.

0
 
Debsyl99Commented:
Thanks ojfahoum - Glad I helped!
Mike - What you said WAS right - the question could have been taken two ways... You've aced me before now right?
w2kmcp - Don't you feel a right donkey? LOL
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now