0 votes

We have an inactive user task which runs daily that disables accounts after 30 days of inactivity.

We had an example yesterday of a user account which had been disabled which had a last-logon-timestamp attribute value of 17/08/17. The last-logon attribute was displayed in the addaxes console as 14/07/17.

As we believed the addaxes inactive user task uses the last-logon-timestamp attribute to determine the period of inactivity we cannot work out why this happened.

We have checked the replication of the last-logon-timestamp attribute across all our DC's and it is consistent.

Are you able to provide any explanation of how this could have happened?

Regards
Andy

by (40 points)
0

Hello Andy,

Could you check the value of the Last-logon-Timestamp property for the user in Adaxes? Is it also 17/08/17?
Pay attention that Last Logon and Last-Logon-Timestamp are absolutely different properties in AD.

0

Yes it was. I also checked the value on all of the DC's to ensure we did not have one which was not replicating that field correctly as I believed this was the attribute used to determine inactivity.

0

What are the other criteria that the Adaxes system uses to determine inactivity or is it simply that attribute?

0

Hello Andy,

Adaxes determines user inactivity based on the Last-Logon-Timestamp (LDAP display name lastLogonTimestamp) and Password Last Set (pwdLastSet) attributes, whichever is most recent.

Can you make sure that the user was disabled by your task? To do this, you can check the Management History of the user account. To access it, right-click the user and select All Tasks \ Management History.

For troubleshooting purposes, can you post here or send us to support[at]adaxes.com a screenshot of the actions and conditions of the Scheduled Task? Also, can you do the following:

  1. Create a new Custom Command.

  2. On step 2 of the Create Custom Command Wizard, select User.

  3. On step 3, add the Run a program or PowerShell script action and paste the following script line:

     $Context.LogMessage("%adm-InactivityDuration%", "Information")
    

  4. Enter a short description and click OK.

  5. Click Next, then click Finish.

  6. Execute the Custom Command on the user in question. The number of days a user has been inactive per Adaxes calculations will be displayed in the Execution Log. How many days do you get?

Please log in or register to answer this question.

Related questions

0 votes
1 answer

Tried using the following script below found in another thread here but get an error message from Adaxes saying that the cmdlet is not valid -- Import-Module Adaxes $email = " ... or if a path was included, verify that the path is correct and try again.

asked Nov 27, 2017 by adriank (100 points)
0 votes
1 answer

I've adapted a RegEx to normalize phone numbers, source: http://www.regexplanet.com/cookbook/pho ... index.html. Import-Module Adaxes $identity = "%sAMAccountName%" $mobileNumber = ' ... 555-5555, adaxes returned +1+1 (888) 555-5555. Any guidance on this?

asked Dec 20, 2014 by polley (1.2k points)
0 votes
1 answer

Hello - I have configured some custom property patterns for office location and Department and am seeing a drop down list when attempting to create a new user limited to the ... down list. Is this therefore only limited to some AD attributes and not others ?

asked Mar 21, 2017 by cdsouza (50 points)
0 votes
1 answer

I am trying to send a $context.logmessage from a condition script in a Scheduled Task but I get nothing in the log. Is this not possible? Morten A. Steien

asked Jul 20, 2020 by Morten A. Steien (300 points)
0 votes
1 answer

I want to create a scheduled task to disable a user if he is inactive for 30days, the task must check inacivity o AD and Azure.

asked May 16 by johanpr (120 points)
3,542 questions
3,233 answers
8,227 comments
547,807 users