• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Can Exchange pass on logon time stamp to AD?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
)shArk>
Just Arrived
Just Arrived


Joined: 22 Dec 2006
Posts: 0
Location: USA

Offline

PostPosted: Fri Dec 22, 2006 5:49 pm    Post subject: Can Exchange pass on logon time stamp to AD? Reply with quote

I have a number of domain users who work remotely.
We audit our AD accounts regularly and what I discovered is that a logon to Exchange (through OWA or RPC/HTTP on XP and Macs) does not pass the user's logon record to AD. Threfore their 'last logon timestamp' shows way old- to the point of showing 'never logged in' for new users.
The only time their last logon gets updated in AD is if they log on local to a domain computer.

Is there any way to have an Exchange mailbox logon event pass on to AD and update the AD timestamp?

[edit] I meant the 'lastlogon' field, not the 'lastlogontimestamp' field as I incorrectly stated above.


Last edited by )shArk> on Thu Jan 04, 2007 6:22 am; edited 1 time in total
Back to top
View user's profile Send private message
MadCow
Just Arrived
Just Arrived


Joined: 30 May 2005
Posts: 0
Location: Toronto

Offline

PostPosted: Fri Dec 22, 2006 9:09 pm    Post subject: Reply with quote

Does it showl ogon/logoff Success/Failure in the Event Viewer under Security? Also depends which DC authenticates the user.
Back to top
View user's profile Send private message
)shArk>
Just Arrived
Just Arrived


Joined: 22 Dec 2006
Posts: 0
Location: USA

Offline

PostPosted: Fri Dec 22, 2006 9:39 pm    Post subject: Reply with quote

All of our OWA and RPC/HTTP users log on to Exhange successfully, however if that user -only- logs on to Exchange mail from outside the local LAN or from a non-windows workstation, AD will not receive a domain last logon timestamp for that user.

In contrast, a user logging on to a domain workstation has their AD last logon timestamp updated by the logon event.

This is perplexing- Especially since the user must authenticate to AD through Exchange to be allowed in to their mailbox. Perhaps this is just a design limitation of how Exchange interacts with AD?
The downside for us is many of our remote "email only" users show as not having logged on to the domain for months! -Even though they are using their email daily.
Back to top
View user's profile Send private message
)shArk>
Just Arrived
Just Arrived


Joined: 22 Dec 2006
Posts: 0
Location: USA

Offline

PostPosted: Wed Dec 27, 2006 8:07 am    Post subject: Reply with quote

bump- anyone?
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Sat Dec 30, 2006 3:37 am    Post subject: Reply with quote

They are not logging on, so the logon event is not recorded

Their access rights and credentials are being checked, but that is not the same as logging on. They are not issued a ticket at all, as far as I can see.

Log on to a workstation as a local user, then connect to a shared folder. When prompted for a user/pass provide it (using a domain user account), then go and look for that logon event.

Won't the Exchange logs show anything? They will show who last accessed that email account and when, but this would include acess by another user with rights.
Back to top
View user's profile Send private message Visit poster's website
)shArk>
Just Arrived
Just Arrived


Joined: 22 Dec 2006
Posts: 0
Location: USA

Offline

PostPosted: Thu Jan 04, 2007 5:52 am    Post subject: Reply with quote

AdamV- I talked to the fine Exchange dev folks over at msexchangeteam.com and received this link in reply.
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx
Pretty much explains it. Apparently this is a bit of a perplexing issue if you truly want to do accurate last-logon tracking. In a nutshell, the only replicable indicator of a user's last logon is the 'lastlogontimestamp' field. The 'lastlogon' field is only updated at the local DC which the user authenticated to, is not replicated, and is not updated by OWA / RPC logon events.
At the link above, their is a script avail that will let you poll all DC's and report on the avg 'last logon' date of a user.

Further in my chats with them I also received additional interesting info:

Quote:
(Response)
- We do know that lastlogontimestamp will replicate only every 14 days
- We do know that lastlogon will not replicate, and will update only on the DC that actually processed the logon (so it can be different on all 5 DCs if you have 5 DCs)

I think that if you are after the mailbox logon/logoff stuff then you might have to look in the direction of PR_LAST_LOGON_TIME and PR_LAST_LOGOFF_TIME properties on the mailbox itself, as that should get updated when the user logs on into the mailbox.

(My Question) - can the PR_LAST_LOGON_TIME and PR_LAST_LOGOFF_TIME fields be polled via a script?

(Response)
Well, seeing that those are in the information store, you'd have to use some interface (like DAV, MAPI etc) to access this from each mailbox. There is probably a script out there that does this and I bet someone needed it before!

For Exchange 2007, we have this built in within the get-mailboxstatistics CMDlet:
http://www.microsoft.com/technet/prodtechnol/exchange/e2k7help/cec76f70-941f-4bc9-b949-35dcc7671146.mspx?mfr=true
[/quote]
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Thu Jan 04, 2007 11:29 am    Post subject: Reply with quote

Thanks for the clarification, it's good when people come back with answers they find elsewhere, rather than leaving threads hanging without closure.

It seems my rather woolly reply was right, albeit not specific enough to be helpful in finding the actual exchange property to look for.
Back to top
View user's profile Send private message Visit poster's website
)shArk>
Just Arrived
Just Arrived


Joined: 22 Dec 2006
Posts: 0
Location: USA

Offline

PostPosted: Thu Jan 04, 2007 6:57 pm    Post subject: Reply with quote

AdamV wrote:
Thanks for the clarification, it's good when people come back with answers they find elsewhere, rather than leaving threads hanging without closure.

It seems my rather woolly reply was right, albeit not specific enough to be helpful in finding the actual exchange property to look for.


True that- I hate leaving hanging threads and I always try to post updates and solutions as I find them- Especially on my own questions.
[rant] Forum posters should try to keep in mind that it is equally important to post a solution to your question if found. The posted help questions always bring in other readers seeking an answer, and it's kind of lame if the thread stops just short of of the fix Smile [/rant].
One simple posted answer can help countless others.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register