Last logon date/time of disabled Windows & Linux accounts
Posted on 2014-07-22
For our User accounts audit, audit requested for last logon / used
date and time of disabled accounts (for both local & domain accounts).
We have mainly Windows 2008 R2 & Linux (RHEL 5.x/6.x and Suse).
Without enabling back the accounts, I can't get the last logon date/time
of disabled accounts using Windows wmic and Linux "last" & "lastlog"
Is there any other way to get this last logon information?
For accounts that are used by services/apps like Oracle
& VMWare SA converter as well as Linux accounts that
we 'sudo' only, I also can't get last logon/used info?
Any way to get it?