CODEWITHSUNDEEP
active-directory
Chrisla9
Chrisla9

Reputation: 41

Active Directory Service Accounts

I am currently working on a AD installation where there are about 45,000 accounts and about 60+ global catalogue servers, some accounts are active some are disabled. Some active accounts are service account which don't appear to login as the lastlogondate is several months old.

If I disable some of the service accounts which do not login the application stops working so I know the application is authenticating to AD somehow.

My question is how can I determine which account have been used to authenticate but have not actually 'logged in'? Is there an attribute I can query or can I set it somehow that AD writes to the event log?

Upvotes: 1

Views: 1561

Answers (2)

missioncritical
missioncritical

Reputation: 15

I don't know what function or technique you are using in Hyena to get the 'last logon' information, but as indicated by others, the AD attribute 'lastlogontimestamp' will get you a fairly accurate date/time (~within 10-day accuracy) of the last use of an account. This attribute can be added to any query in Hyena for all of your users. You can also export out the service information on all computers and servers, to see what accounts are being used.

If you need additional assistance, contact SystemTools Support - [email protected]

We are always ready to support our customers.

(I am with SystemTools (Hyena) support)

Upvotes: 0

baldpate
baldpate

Reputation: 1749

Simply speaking, lastLogonTimestamp is the right attribute to find inactive accounts.

See following link for descriptions on different related attributes:

http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

Just copied from above link, using PowerShell, you can get inactive users (inactive for AROUND 90 days, note lastLogonTimestamp is only an approx value) by calling: 

Search-ADAccount -AccountInactive -DateTime ((get-date).adddays(-90)) -UsersOnly

For the last logon time from Hyena, I suspect it is inaccurate.
(I never use Hyena before, so just a guess.)

From the following link:

http://www.systemtools.com/HyenaHelp/index.htm#userlogoninfo.htm

Seems by default it only get the last logon info from one DC only. If they get this info from lastLogon attribute instead of lastLogonTimestamp (very likely, otherwise the "Check All Domain Controllers" option is meaningless), it will only get the logon time on this specific DC only. So if those service account are always using DC1 in recent authentications but you connect to DC2 to get the logon time, you will only get a very old time (or none if it never use DC2 to authenticate).

Upvotes: 1

Related Questions