Closed rcraig12 closed 2 years ago
[2022-09-29 16:19:25] local.INFO: LDAP (ldap://az-uks-dc02.litana.antonine.local:389) - Operation: Binding - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:25] local.INFO: LDAP (ldap://az-uks-dc02.litana.antonine.local:389) - Operation: Bound - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:25] local.INFO: LDAP (ldap://az-uks-dc02.litana.antonine.local:389) - Operation: Search - Base DN: dc=litana,dc=antonine,dc=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(objectguid=\bb\fd\e1\42\40\c5\cb\44\9e\e2\db\16\98\be\c9\59)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,*) - Time Elapsed: 76.78
[2022-09-29 16:19:25] local.INFO: LDAP (ldap://az-uks-dc01.antonine.local:389) - Operation: Binding - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:26] local.INFO: LDAP (ldap://az-uks-dc01.antonine.local:389) - Operation: Bound - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:26] local.INFO: LDAP (ldap://az-uks-dc01.antonine.local:389) - Operation: Paginate - Base DN: dc=antonine,dc=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,userPrincipalName,Mail,Description,distinguishedName,whenCreated,lastLogon,objectclass) - Time Elapsed: 49.94
[2022-09-29 16:19:27] local.INFO: LDAP (ldap://az-uks-dc02.litana.antonine.local:389) - Operation: Paginate - Base DN: dc=litana,dc=antonine,dc=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,userPrincipalName,Mail,Description,distinguishedName,whenCreated,lastLogon,objectclass) - Time Elapsed: 1404.19
[2022-09-29 16:19:27] local.INFO: LDAP (ldap://az-uks-dc03.colanica.antonine.local:389) - Operation: Binding - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:27] local.INFO: LDAP (ldap://az-uks-dc03.colanica.antonine.local:389) - Operation: Bound - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc03.colanica.antonine.local:389) - Operation: Paginate - Base DN: dc=colanica,dc=antonine,dc=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,userPrincipalName,Mail,Description,distinguishedName,whenCreated,lastLogon,objectclass) - Time Elapsed: 755.7
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc04.cibra.antonine.local:389) - Operation: Binding - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc04.cibra.antonine.local:389) - Operation: Bound - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc04.cibra.antonine.local:389) - Operation: Paginate - Base DN: DC=cibra,DC=antonine,DC=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,userPrincipalName,Mail,Description,distinguishedName,whenCreated,lastLogon,objectclass) - Time Elapsed: 355.34
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc05.pexa.antonine.local:389) - Operation: Binding - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:28] local.INFO: LDAP (ldap://az-uks-dc05.pexa.antonine.local:389) - Operation: Bound - Username: CN=Azure Monitor,CN=Managed Service Accounts,DC=antonine,DC=local
[2022-09-29 16:19:29] local.INFO: LDAP (ldap://az-uks-dc05.pexa.antonine.local:389) - Operation: Paginate - Base DN: DC=pexa,DC=antonine,dc=local - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(!(objectclass=\63\6f\6d\70\75\74\65\72))) - Selected: (objectguid,userPrincipalName,Mail,Description,distinguishedName,whenCreated,lastLogon,objectclass) - Time Elapsed: 147.65
in case this helps any....
Hi there @rcraig12,
6000 users almost half fail on the attribute.
Can you explain "fail"? Do you receive an exception? Or is the attribute simply not included in results of the query?
Hi @stevebauman ,
When I say fail I am asserting that the value returned is 0 (zero) instead of a timestamp. So the attribute is returned in the query just no value associated with it when I review the associative array. Manually checking the directory object attributes there is definitely a proper value there. Very puzzling.
Thanks for clarifying that @rcraig12.
I believe this is a replication issue, as I see you have multiple domain controllers in your logs.
To my knowledge, lastLogon
is only updated on the domain controller to where the login request actually was sent to. I.e: If I login via DC1, lastLogon
would be 0
on DC2:
https://serverfault.com/questions/734615/lastlogon-vs-lastlogontimestamp-in-active-directory
However, I believe lastLogonTimestamp
is replicated between domain controllers.
Can you try selecting that inside of your query?
Thanks @stevebauman !
That makes sense and a doh moment all at the same time lol.
Now I have to refactor this code to query all DC's in the domain for that attribute which will be onerous :( That is to say in this instance i need to have the accurate last logon time so as to make sure the account has been accessed in the last 6 months. So decisions can be made on pruning M365 license use . Hope that makes sense.
Thanks for taking the time to look at this.
Happy to help @rcraig12 🙏
i need to have the accurate last logon time so as to make sure the account has been accessed in the last 6 months.
Are you able to use the lastLogonTimestamp
attribute instead?
How it worked in Windows 2000
Prior to Windows Server 2003 administrators had to query the lastLogon attribute to determine the most recent logon of user or computer account. This process was time consuming as the lastLogon attribute is updated only on the DC that validates the logon request. The lastLogon attribute is not replicated. So in the past to determine the most recent logon of a user or computer account the lastLogon attribute had to be queried on all domain controllers (at least in concept) and then the most recent date for lastLogon had to be determined from all the results returned. In Windows 2003 and higher lastLogon is still has the same behavior. It is updated only on the validating DC and is not replicated.
How it works in Windows Server 2003 and later
In contrast the lastLogontimeStamp attribute is replicated so all DC's have the same value for the attribute (after replication convergence). Therefore you can query a single DC to find all the users or all the computers that have not logged in within a certain time.
yup so i am dumping both attributes and so there can be at least a timestamp in one of the two attributes. if both are blank that too tells a story so all good now. Once again thanks for spending the time :)
Ok sounds good! And no problem, happy to help 😄
Environment:
Describe the bug:
I have multi domain and for the most part the fields appear to be resolving the data from active directory correctly. However for some reason the lastlogon field is not consistant and across 6000 users almost half fail on the attribute. I thought that it could have been connection specific or indeed OU specific but the error appears across users in the same domain and within the same OU.
Any ideas?