0 votes

Hi Forum,

i have a question about the Scheduled Task "Inactive User Deaktivator". We've set up this task to disable Users inactive for more than 4 Weeks. This task runs once a Week. Sometimes it happens that users are deaktivated before that 4 Weeks (e.g. User was on vaction from July 30th - August 23th and was deaktivated). Can you tell me why this happen?

Thanks a lot.

by (650 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

To determine for how long a user account has been inactive, Adaxes uses the following attributes:

  • Last-Logon-Timestamp
  • Password Last Set

The issue can be caused by the fact that the Last-Logon-Timestamp attribute is not updated each time a user logs in to your AD domain. As stated by Microsoft in this article:

Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.

Thus, for example, if the Last-Logon-Timestamp attribute was last updated, say, 2 weeks before a user went on a vacation, then the account was inactive during the time of the vacation, this already makes more than 4 weeks of inactivity.

To avoid such situations, you can, for example, extend the period in the Scheduled Task to something more than 4 weeks or modify the msDS-LogonTimeSyncInterval attribute of your AD domain in order for the Last-Logon-Timestamp attribute to be updated more often.

0

Hi Adaxes Support,

Thanks for your answer. But for me this is still not clear. I've also read this information about the LastLogonTimestamp attribute. For me this means, that this attribute is updated between 9 - 19 Days (14 +/- 5 Days). The user was away for 25 Days so the Last-Logon-Timestamp must be updated within this period (from the DC) - hopefully you understand what i mean. If i select 4 Weeks in the inactive Period - are this 28 to 31 Days?

Maybe it has something to do with the password? The Userpassword expired while he was out of the office (90 Days).

Thanks for your help.

0

Hello again,

4 weeks means 28 days. The password expiration has nothing to do with this. In order to determine account inactivity period, Adaxes checks only the date when a user's password was changed last time.

As for the Last-Logon-Timestamp attribute, in our mind, the situation was something like as follows. Proceeding from your example, the last time when a user logged in was July 29th. At that time, the value of the Last-Logon-Timestamp attribute was something like July 21st, for example. Since the attribute is updated each 9-14 days, on July 29th it wasn't updated, since only 8 days had passed since the previous update. Then, the user didn't log in between July 30th to August 23rd, and the attribute wasn't updated either.

Thus, in the above example, the attribute wasn't updated from July 22nd to August 23rd, which is over a month, though the user was actually absent only from July 30th to August 23rd. Does the picture get clearer now? :)

0

Hi Support,

thanks a lot for this answer. I thought, that the DC will update the Last-Logon-Timestamp itself after that period of time (not triggered to a User logon/logoff). So this means that the Last-Logon-Timestamp Attribute is updated every 9-14 Days only if there's a User Logon/Logoff.

This makes it clear now.

Thanks a lot for your help.

Related questions

0 votes
1 answer

I want to create a scheduled task to disable a user if he is inactive for 30days, the task must check inacivity o AD and Azure.

asked May 16 by johanpr (120 points)
0 votes
1 answer

I know it is based on an attribute held in adaxes. What info does adaxes look at to determine the date? Just want to understand how the cake is baked.

asked Dec 26, 2022 by mightycabal (1.0k points)
0 votes
1 answer

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
0 votes
1 answer

Tried using the following script below found in another thread here but get an error message from Adaxes saying that the cmdlet is not valid -- Import-Module Adaxes $email = " ... or if a path was included, verify that the path is correct and try again.

asked Nov 27, 2017 by adriank (100 points)
0 votes
0 answers

We have an inactive user task which runs daily that disables accounts after 30 days of inactivity. We had an example yesterday of a user account which had been disabled ... Are you able to provide any explanation of how this could have happened? Regards Andy

asked Sep 12, 2017 by Andy_W (40 points)
3,589 questions
3,278 answers
8,303 comments
548,130 users