0 votes

Hello!

I am on version 2013.1 FYI.

When I view a specific OU and view columns such as 'Last logon' and 'last logon timestamp' the dates/times are inconsistent. What's the reason for that?

Ultimately, I wanted to compare the 'last logon' to 'whenCreated' to do a bit of a cleanup in AD.

Thanks

Melinda

by (1.7k points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Melinda,

The thing is that there are 2 attributes in AD to identify when an account logged last time: Last Logon (LDAP name lastLogon) and Last-Logon-Timestamp (LDAP name lastLogonTimestamp). The Last Logon attribute was introduced in Windows 2000 Server, and Last-Logon-Timestamp was introduced a bit later, in Windows Server 2003. There are 2 differences between the attributes:

  1. Last Logon is not replicated, while Last-Logon-Timestamp is. This means that if you have multiple Domain Controllers (DCs) in your environment, on each DC the value of the Last Logon attribute will be different for the same account. On each DC, the value of the attribute will indicate the last time date/time when an account logged on to that particular DC.
  2. Last Logon is updated each time a user logs on, while Last-Logon-Timestamp is not. Active Directory uses a special algorithm to determine whether to update the value of the Last-Logon-Timestamp attribute or not.

For more information, have a look at the following articles on MSDN:

Also, if you want to perform some sort of cleanup in your AD, we suggest using the built-in Inactive User Deleter and Inactive Computer Deleter Scheduled Tasks. The tasks allow you to delete inactive users/computers from Active Directory on a certain periodic basis. For information on how to configure the deletion of inactive accounts, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ectory.htm.

Both the tasks use the If is inactive <period> condition. The condition allows you to check whether a user or computer account is inactive for a certain period of time.

To determine for how long an account is inactive, Adaxes compares the value of the When Created attribute to the values of the following attributes:

  • Last-Logon-Timestamp
  • Password Last Set

Also, Adaxes tries to ping the computers that appear to be inactive for a long time based on the attributes.

0

Thanks for the information and clarification. This explains why I was seeing different values every time I refreshed lol.

I will test it out and report back if I have issues, Thank you!

0

Testing is going well! Thanks again.

I'd like to have the activity history exported once the task is complete. Would you happen to have a ps script that does this?

0

Hi!

I have tested the "Inactive user deleter" scheduler and it work fine.

We have a issue, if we get the output of inactive users in email the it sends individual emails, let's say we have 100 inactive users then it will send us 100 emails to us. Is there any option to get all these users list in one email.

Thanks.
PV

0

Team,

Could you please update me on my query.

Regards,
PV

0

Hello,

The thing is that the Inactive user deleter and Inactive computer deleter Scheduled Tasks are configured to be executed for user/computer objects. This means that the tasks are run for each user/computer account separately, that's why you get a separate e-mail for each account processed by the tasks.

To workaround this issue, you can create a separate Scheduled Task that would send a common e-mail for all processed accounts when the Inactive user deleter / Inactive computer deleter task finishes its job. To create such a Scheduled Task:

  1. Create a new Scheduled Task.

  2. On step 2 of the create Scheduled Task wizard, configure the new scheduled task to run as often as the Inactive user deleter or Inactive computer deleter task runs. For example, if you want an e-mail for actions performed by the Inactive user deleter task which is run daily, you need to configure the new task to run daily as well.

    Also, since it's impossible to trigger a task run when another Scheduled Task completes, you'll need to specify an exact time when the new task will generates a report. It must run after the Inactive user deleter task completes. Thus, the time when the new task starts must be later than the time when the the Inactive user deleter task starts + some time required to process all accounts. Say, an hour after the Inactive user deleter task starts.

  3. On step 3, select Show all object types.

  4. Select the Domain-DNS object type.

  5. On step 4, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $scheduledTaskName = "Inactive User Deleter" # TODO: modify me
     $numDays = 1 # set to 0 to output all records
     $to = "recipient@domain.com" # TODO: modify me
     $subject = "Accounts processed by " + $scheduledTaskName # TODO: modify me
     $reportHeader = @"
     <b>Scheduled Task activity history during $numDays days</b><br/><br/>
     <table border="1">
         <tr>
             <th>Start Time</th>
             <th>Completion Time</th>
             <th>Target Object</th>
             <th>Target Object Type</th>
             <th>Operation</th>
             <th>Execution Log</th>
         </tr>
     "@ # TODO: modify me
     $reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me
    
     function GetExecutionLog ($logEntryCollection, $executionLog)
     {
         $executionLog += "<ul>"
         foreach ($logEntry in $logEntryCollection)
         {
             # Get the operation info
             $type = $logEntry.Type
             $message = $logEntry.Message
             $source = $logEntry.Source
    
             # Build report record
             $messageBuilder = ""
             if (-not([System.String]::IsNullOrEmpty($source)))
             {
                 # Add source to the message
                 $messageBuilder += "$source`: "
             }
             $messageBuilder += "$type - $message"
    
             # Encode all html tags
             $messageBuilder = [System.Web.HttpUtility]::HtmlEncode($messageBuilder)
    
             # Add message to the report
             $executionLog += "<li>$messageBuilder"
    
             # Add subentries, if any
             $subEntries = $logEntry.SubEntries
             if ($subEntries.Count -ne 0)
             {
                 $executionLog = GetExecutionLog $subEntries $executionLog
             }
             $executionLog += "</li>"
         }
         $executionLog += "</ul>"
         return $executionLog
     }
    
     # Bind to the directory object representing the General Log
     $path = $Context.GetWellKnownContainerPath("ServiceLog")
     $serviceLog = $Context.BindToObject($path)
    
     $generalLog = $serviceLog.GeneralLog
     if ($numDays -ne 0)
     {
        $generalLog.StartDateTime = (Get-Date).AddDays(-$numDays)
        $generalLog.EndDateTime = Get-Date
     }
    
     # Get the log records
     $log = $generalLog.Log
     $records = $log.GetPage(0)
    
     # Add log records to the report
     foreach ($record in $records)
     {
         if ($record.Initiator.Name -ine $scheduledTaskName)
         {
             continue
         }
    
         if ($record.State -eq "OPERATION_STATE_FAILED_NO_CONTINUE")
         {
             $reportRecord = "<tr bgcolor='red' valign='top'>"
         }
         elseif ($record.State -eq "OPERATION_STATE_FAILED_CAN_CONTINUE")
         {
             $reportRecord = "<tr bgcolor='yellow' valign='top'>"
         }
         else
         {
             $reportRecord = "<tr valign='top'>"
         }
         $recordStartTime = $record.StartTime 
         $recordCompletionTime = $record.CompletionTime
         $recordTargetObjectName = $record.TargetObjectName
         $recordTargetObjectType = $record.TargetObjectType
         $recordDescription = $record.Description
    
         # Get the Execution Log
         $executionLogEntries = $record.GetExecutionLog()
         if ($executionLogEntries.Count -eq 0)
         {
             $executionLog = "Execution Log is empty"
         }
         else
         {
             # Add execution log to the report
             $executionLog = GetExecutionLog $executionLogEntries ""
         }
         $reportRecord += "<td>$recordStartTime</td><td>$recordCompletionTime</td><td>$recordTargetObjectName</td><td>$recordTargetObjectType</td><td>$recordDescription</td><td>$executionLog</td>"
         $reportRecord += "</tr>"
    
         # Add record to the report
         $reportHeader += $reportRecord
     }
     $reportHeader += "</table>"
     $messageBody = $reportHeader + $reportFooter
    
     # Send report
     $Context.SendMail($to, $subject, $NULL, $messageBody)
  6. In the script, modify the following to match your requirements:

    • $scheduledTaskName - specifies the name of the Scheduled Task whose activity you want to track;
    • $numDays - specifies the number of days you want to be included in the report;
    • $to - specifies the recipient of the report;
    • $subject - specifies the subject of the e-mail message;
    • $reportHeader - specifies the report header (HTML-formatted);
    • $reportFooter - specifies the report footer (HTML-formatted).
  7. Enter a short description for the script and click OK.

  8. On the final step, include any of your AD domains in the Activity Scope of the task.

0

So we've put the inactive disabler scheduled task in place. We have it set to run weekly for accounts in a certain OU that has inactivity for 26weeks.
For the last month, this one account has been getting disabled every time the task runs. I will find out if someone re enabled, but even if they did, why would the account continue to be disabled when it hasn't been 26wks?

0

Hello Melinda,

You need to understand that the task doesn't 'reset the counter' or whatsoever of this kind. If an account meets the conditions of the Task, the Task disables the account. If someone re-enables such an account, that doesn't yet mean that the account becomes active. An account can become active only when someone logs in to your AD using the credentials of the account.

0

got it.

0

hello -

i'd like to have a report of inactive account for x amt of days.
we don't want to do anything with the accounts yet, just want to get some information.
can you provide a powershell script that will report the results from a sch task that determines the accounts inactivity for 90days?

thanks

0

Hello,

Actually, there is such a script in our SDK. Have a look at Example 4: Generating and emailing an AD report under Script Examples in the following SDK article: http://www.adaxes.com/sdk/?ServerSideSc ... ptExamples.

0

thanks. just so I'm clear, and because its for a specific OU, I would change the baseDN to include the OU that it runs against?

0

Hello,

Yes.

Related questions

0 votes
1 answer

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.5k points)
0 votes
1 answer

We are trying to extend our Adaxes management to O365 / Azure only user objects. Currently we use employee type to add traditional active directory accounts to business units and ... so, can this be used to create dynamic mail enabled security groups in O365?

asked May 3, 2022 by adaxes_user2 (40 points)
0 votes
1 answer

Are there any plans to add the ability to select columns to sort results? i.e. when I look in my "Users" OU it would be really handy to be able to sort by job title or department or any other AD attribute. Running 2013.2.

asked Jan 30, 2014 by hutchingsp (240 points)
0 votes
1 answer

I have a Cloud managed domain configured in adaxes. I want to give access on the helpdesk portal to a user from this cloud domain, as I usually do with a AD user. Is it possible ... try to do it, I get a "username and password doesn't match" on the login page.

asked Jun 26 by ndegrauw (50 points)
0 votes
1 answer

Hello, When a user account is created, we would like for that user to be added to a group whose name is based on a certain naming convention. If the group doesn't yet exist ... If that group doesn't exist, it will first create the group and then add the user.

asked Mar 11 by sjjb2024 (60 points)
3,549 questions
3,240 answers
8,232 comments
547,822 users