1

Can I use SCOM 2007 R2 to see Computers last logon from Active Directory? I have 4 domain controllers that need to be replicated.

I know that I can use other programs like http://www.dovestones.com/products/True_Last_Logon.asp but I would like to use SCOM if possible.

Helgi
  • 33
  • 6

1 Answers1

1

There are two things that you might be looking for. To get a definitive answer for a computer account or a user account in any Active Directory you need to poll all Domain controllers and pick the most recent value reported for LastLogon because that is an AD attribute that is never replicated between DC's. That is what True Last Logon is doing.

For Computer accounts you can take a bit of a shortcut if absolute acccuracy is not required - e.g. if you are looking to clean up old and unused computer accounts. All AD joined computers automatically change their machine account password every 30 days ( or every 7 days for Windows Vista\W2K8 or newer). This means that the PasswordLastChanged attribute will be modified for an active machine on a regular basis - this attribute is replicated to all DC's so a single query can be used to figure it out.

For user accounts this is not true so you have to either query all DC's for LastLogon. If you have a newer AD infrastructure with at Windows 2003 or Windows 2008 functional level there are some newer attributes that can provide alternatives that may be useful.

When operating in Server 2008 Functional level the following object attributes are available:

msDS-LastSuccessfulInteractiveLogonTime
msDS-LastFailedInteractiveLogonTime

This isn't actually turned on by default - to enable it you need to enable the following for a GPO that your Domain Controllers belong to.

Computer Configuration| Policies | Administrative Templates | Windows Components | Windows Logon Options | Display information about previous logons during user logon = Enabled

There is some more information in this Technet Article.

When operating in Server 2003 Functional level or newer the following object attribute is available:

LastLogontimeStamp

Unfortunately LastLogonTimeStamp is only replicated by default on a cycle that randomly varies between 9 and 19 days (to eliminate excessive traffic in large environments) and that cannot be changed to anything faster than 1 day to the best of my knowledge.

On all other AD's the only relevant attribute is the aforementioned LastLogon. Unfortunately this is never replicated so if you want to use it you have to poll all DC's in your domain and then pick the most recent logon time from the values returned.

Helvick
  • 20,019
  • 4
  • 38
  • 55
  • Thank you Helvick for a good and well explained answer, my initial goal was to find a MP in SCOM 2007 R2 that would display this information, that search is still unsuccessful. Before I saw your answer one of my coworkers told me that this solution does not exist in SCOM, and told me that the fastest way to clean up unused Computers and Users was to run a script that would query my DC`s and return the newest lastlogon attribute. The Script is made to check users but we made some modifications so it could check out the Computers. – Helgi Sep 15 '10 at 07:18
  • We used a Script after Richard L. Mueller from http://www.rlmueller.net called LastLogon.vbs. I tried your answer also and it worked, and since there is no solution for this in SCOM I think that it’s more than fair to say that your answer is correct and useful. And again very well explained. – Helgi Sep 15 '10 at 07:18