不正确的LastLogonTimeStamp Active Directory中用户的值

时间:2023-02-01 02:57:33

I'm using LastLogonTimeStamp property of user in Active Directory to get the Last logon date time, Value isn't consistent,

我在Active Directory中使用用户的LastLogonTimeStamp属性来获取上次登录日期时间,值不一致,

Any one else faced same issue?

还有其他人面临同样的问题吗?

Can we trust the LastLogonTimeStamp?

我们可以信任LastLogonTimeStamp吗?

Update: It's just one Domain Controller

更新:它只是一个域控制器

6 个解决方案

#1


http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

You would only use lastLogonTimeStamp if you have alot of domain controllers and don't need the most accurate results. With a single domain controller use the lastLogon attribute.

如果您有很多域控制器并且不需要最准确的结果,则只能使用lastLogonTimeStamp。使用单个域控制器使用lastLogon属性。

#2


LastLogonTimeStamp by design only gets updated when the user logs in and the current value is between 9 and 14 days old. They did this to cut down on replication traffic in AD.

设计中的LastLogonTimeStamp仅在用户登录时更新,当前值介于9到14天之间。他们这样做是为了减少AD中的复制流量。

This blog posting says it well:

这篇博文说得很好:

It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.

请务必注意lastLogontimeStamp属性的预期用途,以帮助识别不活动的计算机和用户帐户。 lastLogon属性不是为提供实时登录信息而设计的。使用默认设置后,lastLogontimeStamp将比当前日期晚9-14天。

If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.

如果您想要用户的真实上次登录信息,则必须从域中的每个域控制器中提取lastLogon属性并使用最新值。

#3


Do you have a network with several DC (domain controllers)? They might be out of sync since the LastLogonTimeStamp will be updated on the DC that the user actually logs on, and synchronization might take some time.

你有一个带有几个DC(域控制器)的网络吗?它们可能不同步,因为LastLogonTimeStamp将在用户实际登录的DC上更新,并且同步可能需要一些时间。

Marc

#4


If you ever plan to have more than one DC, then LastLogonTimeStamp may not a reliable method for determining something like whether or not an account has grown "stale", since that attribute is not replicated to other DCs in many (most?) scenarios, depending on your domain functional level.

如果您计划拥有多个DC,那么LastLogonTimeStamp可能不是确定帐户是否已“过时”的可靠方法,因为该属性未在许多(大多数?)场景中复制到其他DC,取决于您的域功能级别。

A better method for determining this is to look at "password age" (via the PasswordLastChanged attribute). For example, if someone hasn't reset their password a week or two after it has expired (or some other time span depending on your particular environment), then there is a good chance that you have an orphaned account there.

确定此问题的更好方法是查看“密码期限”(通过PasswordLastChanged属性)。例如,如果有人在密码过期后一两周内没有重置密码(或者根据您的特定环境而在某个其他时间段内),那么您很可能在那里拥有一个孤立帐户。

#5


You can't get an user's True LastLogon time neither by lastlogon or lastlogontimestamp in straight way..you need to do some custom work to get latest logon time.

你无法直接通过lastlogon或lastlogontimestamp获得用户的True LastLogon时间。你需要做一些自定义工作来获得最新的登录时间。

By LastLogon

You need query lastlogon value from all the domain controllers and compare all values then get the highest logon time as True Last Logon

您需要从所有域控制器查询lastlogon值并比较所有值,然后获得最高登录时间作为True Last Logon

By LastLogonTimeStamp

Since it would be the replicable attribute you can query from only one DC but it will not give accurate result, it has precision around 14 days depends upon the attribute msDS-LogonTimeSyncInterval.

由于它是可复制属性,您只能从一个DC查询,但它不会给出准确的结果,它具有大约14天的精度取决于属性msDS-LogonTimeSyncInterval。

#6


If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.

如果您想要用户的真实上次登录信息,则必须从域中的每个域控制器中提取lastLogon属性并使用最新值。

Unfortunately this isn't completely accurate. I have used the lastlogon attribute and while it IS fairly close for most user accounts I've tested with this, I've come across many that return a date in 1600, and those that are close show at times that I know for certain the specified users weren't even able to login, for instance my own LastLogon showed at 7:50am when I know I signed in at 8:15am.

不幸的是,这并不完全准确。我已经使用了lastlogon属性,虽然对于我用这个测试过的大多数用户帐户来说它相当接近,但是我遇到过许多在1600年返回日期的用户,而那些近距离显示的有时我知道肯定的指定的用户甚至无法登录,例如我自己的LastLogon在上午7:50显示,当时我知道我在上午8:15登录。

Many admins seem to sometimes desire to use this information to verify compliance with company policy. Unfortunately Microsoft seems to have disregarded such intentions by design for system functionality purposes.

许多管理员似乎有时希望使用此信息来验证是否符合公司政策。不幸的是,微软似乎因设计系统功能而无视这些意图。

#1


http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx

You would only use lastLogonTimeStamp if you have alot of domain controllers and don't need the most accurate results. With a single domain controller use the lastLogon attribute.

如果您有很多域控制器并且不需要最准确的结果,则只能使用lastLogonTimeStamp。使用单个域控制器使用lastLogon属性。

#2


LastLogonTimeStamp by design only gets updated when the user logs in and the current value is between 9 and 14 days old. They did this to cut down on replication traffic in AD.

设计中的LastLogonTimeStamp仅在用户登录时更新,当前值介于9到14天之间。他们这样做是为了减少AD中的复制流量。

This blog posting says it well:

这篇博文说得很好:

It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.

请务必注意lastLogontimeStamp属性的预期用途,以帮助识别不活动的计算机和用户帐户。 lastLogon属性不是为提供实时登录信息而设计的。使用默认设置后,lastLogontimeStamp将比当前日期晚9-14天。

If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.

如果您想要用户的真实上次登录信息,则必须从域中的每个域控制器中提取lastLogon属性并使用最新值。

#3


Do you have a network with several DC (domain controllers)? They might be out of sync since the LastLogonTimeStamp will be updated on the DC that the user actually logs on, and synchronization might take some time.

你有一个带有几个DC(域控制器)的网络吗?它们可能不同步,因为LastLogonTimeStamp将在用户实际登录的DC上更新,并且同步可能需要一些时间。

Marc

#4


If you ever plan to have more than one DC, then LastLogonTimeStamp may not a reliable method for determining something like whether or not an account has grown "stale", since that attribute is not replicated to other DCs in many (most?) scenarios, depending on your domain functional level.

如果您计划拥有多个DC,那么LastLogonTimeStamp可能不是确定帐户是否已“过时”的可靠方法,因为该属性未在许多(大多数?)场景中复制到其他DC,取决于您的域功能级别。

A better method for determining this is to look at "password age" (via the PasswordLastChanged attribute). For example, if someone hasn't reset their password a week or two after it has expired (or some other time span depending on your particular environment), then there is a good chance that you have an orphaned account there.

确定此问题的更好方法是查看“密码期限”(通过PasswordLastChanged属性)。例如,如果有人在密码过期后一两周内没有重置密码(或者根据您的特定环境而在某个其他时间段内),那么您很可能在那里拥有一个孤立帐户。

#5


You can't get an user's True LastLogon time neither by lastlogon or lastlogontimestamp in straight way..you need to do some custom work to get latest logon time.

你无法直接通过lastlogon或lastlogontimestamp获得用户的True LastLogon时间。你需要做一些自定义工作来获得最新的登录时间。

By LastLogon

You need query lastlogon value from all the domain controllers and compare all values then get the highest logon time as True Last Logon

您需要从所有域控制器查询lastlogon值并比较所有值,然后获得最高登录时间作为True Last Logon

By LastLogonTimeStamp

Since it would be the replicable attribute you can query from only one DC but it will not give accurate result, it has precision around 14 days depends upon the attribute msDS-LogonTimeSyncInterval.

由于它是可复制属性,您只能从一个DC查询,但它不会给出准确的结果,它具有大约14天的精度取决于属性msDS-LogonTimeSyncInterval。

#6


If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.

如果您想要用户的真实上次登录信息,则必须从域中的每个域控制器中提取lastLogon属性并使用最新值。

Unfortunately this isn't completely accurate. I have used the lastlogon attribute and while it IS fairly close for most user accounts I've tested with this, I've come across many that return a date in 1600, and those that are close show at times that I know for certain the specified users weren't even able to login, for instance my own LastLogon showed at 7:50am when I know I signed in at 8:15am.

不幸的是,这并不完全准确。我已经使用了lastlogon属性,虽然对于我用这个测试过的大多数用户帐户来说它相当接近,但是我遇到过许多在1600年返回日期的用户,而那些近距离显示的有时我知道肯定的指定的用户甚至无法登录,例如我自己的LastLogon在上午7:50显示,当时我知道我在上午8:15登录。

Many admins seem to sometimes desire to use this information to verify compliance with company policy. Unfortunately Microsoft seems to have disregarded such intentions by design for system functionality purposes.

许多管理员似乎有时希望使用此信息来验证是否符合公司政策。不幸的是,微软似乎因设计系统功能而无视这些意图。