Last logon date/time of disabled Windows & Linux accounts

For our User accounts audit, audit requested for last logon / used
date and time of disabled accounts (for both local & domain accounts).

We have mainly Windows 2008 R2 & Linux (RHEL 5.x/6.x and Suse).

Without enabling back the accounts, I can't get the last logon date/time
of disabled accounts  using Windows wmic and Linux "last" & "lastlog"
commands.

Q1:
Is there any other way to get this last logon information?

Q2:
For accounts that are used by services/apps like Oracle
& VMWare SA converter as well as Linux accounts that
we 'sudo' only, I also can't get last logon/used info?
Any way to get it?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
For Windows, you can use the powershell  Get-ADuser as in the assist I provided earlier from the link below.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28468668.html

I'm not Linux based, I know as expert will respond shortly.

Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
That's for AD/domain account.  What about Windows local accounts.

To the Linux experts, do reply on Linux accounts, thanks
0
Seth SimmonsSr. Systems AdministratorCommented:
why can't you use last or lastlog?
any errors?

doing sudo /usr/bin/last or sudo /usr/bin/lastlog yields what?
0
sunhuxAuthor Commented:
It just says "*** Logon information not available ***"
(even when issued using sudo or root)
0
Seth SimmonsSr. Systems AdministratorCommented:
maybe someone overwrote the file?
what you are doing is correct; message means there is nothing there in the log to show
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.