Windows 2003 last login and authentication question

Lanz · 6 Dec 2006 at 15:24

On an ADS account you have a last login property, but this only shows when the user actually last logged in, using a workstation. Is there another property, maybe one that is hidden by default (that can be enabled via the schema?) that will show when the user authenticates to the domain or did any domain activity on the said account.

As right now, remote users who only use webmail/vpn etc dont have a correct last-login variable, so we have no real way of seeing if accounts really are dead and inactive.

Cheers

tonyyeb · 6 Dec 2006 at 15:30

Lastlogin is a legacy field left over from NT. I think this information that you want it only stored in the security log either on a DC or on the server in question (exchange, IIS server etc...)

If someone does know of a field then please post. Maybe have a look through this:

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=9910

Lanz · 6 Dec 2006 at 15:34

A 3rd party app/script that could sort all the users by last authentication would be ideal.

oddjob62 · 6 Dec 2006 at 16:57

Lanz said:
As right now, remote users who only use webmail/vpn etc dont have a correct last-login variable, so we have no real way of seeing if accounts really are dead and inactive.

I'm pretty sure that should still show up on the DC logs if you have the "Audit Accoung Logon Events" auditting applied

Lanz · 6 Dec 2006 at 17:22

We dont have login audit logs enabled, too much overheads.