Can Exchange pass on logon time stamp to AD?

Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory

Author: )shArk>Location: USA PostPosted: Fri Dec 22, 2006 5:49 pm    Post subject: Can Exchange pass on logon time stamp to AD?
    ----
I have a number of domain users who work remotely.
We audit our AD accounts regularly and what I discovered is that a logon to Exchange (through OWA or RPC/HTTP on XP and Macs) does not pass the user's logon record to AD. Threfore their 'last logon timestamp' shows way old- to the point of showing 'never logged in' for new users.
The only time their last logon gets updated in AD is if they log on local to a domain computer.

Is there any way to have an Exchange mailbox logon event pass on to AD and update the AD timestamp?

[edit] I meant the 'lastlogon' field, not the 'lastlogontimestamp' field as I incorrectly stated above.


Last edited by )shArk> on Thu Jan 04, 2007 6:22 am; edited 1 time in total

Author: MadCowLocation: Toronto PostPosted: Fri Dec 22, 2006 9:09 pm    Post subject:
    ----
Does it showl ogon/logoff Success/Failure in the Event Viewer under Security? Also depends which DC authenticates the user.

Author: )shArk>Location: USA PostPosted: Fri Dec 22, 2006 9:39 pm    Post subject:
    ----
All of our OWA and RPC/HTTP users log on to Exhange successfully, however if that user -only- logs on to Exchange mail from outside the local LAN or from a non-windows workstation, AD will not receive a domain last logon timestamp for that user.

In contrast, a user logging on to a domain workstation has their AD last logon timestamp updated by the logon event.

This is perplexing- Especially since the user must authenticate to AD through Exchange to be allowed in to their mailbox. Perhaps this is just a design limitation of how Exchange interacts with AD?
The downside for us is many of our remote "email only" users show as not having logged on to the domain for months! -Even though they are using their email daily.

Author: )shArk>Location: USA PostPosted: Wed Dec 27, 2006 8:07 am    Post subject:
    ----
bump- anyone?

Author: AdamVLocation: Leeds, UK PostPosted: Sat Dec 30, 2006 3:37 am    Post subject:
    ----
They are not logging on, so the logon event is not recorded

Their access rights and credentials are being checked, but that is not the same as logging on. They are not issued a ticket at all, as far as I can see.

Log on to a workstation as a local user, then connect to a shared folder. When prompted for a user/pass provide it (using a domain user account), then go and look for that logon event.

Won't the Exchange logs show anything? They will show who last accessed that email account and when, but this would include acess by another user with rights.

Author: )shArk>Location: USA PostPosted: Thu Jan 04, 2007 5:52 am    Post subject:
    ----
AdamV- I talked to the fine Exchange dev folks over at msexchangeteam.com and received this link in reply.
http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx
Pretty much explains it. Apparently this is a bit of a perplexing issue if you truly want to do accurate last-logon tracking. In a nutshell, the only replicable indicator of a user's last logon is the 'lastlogontimestamp' field. The 'lastlogon' field is only updated at the local DC which the user authenticated to, is not replicated, and is not updated by OWA / RPC logon events.
At the link above, their is a script avail that will let you poll all DC's and report on the avg 'last logon' date of a user.

Further in my chats with them I also received additional interesting info:

Quote:
(Response)
- We do know that lastlogontimestamp will replicate only every 14 days
- We do know that lastlogon will not replicate, and will update only on the DC that actually processed the logon (so it can be different on all 5 DCs if you have 5 DCs)

I think that if you are after the mailbox logon/logoff stuff then you might have to look in the direction of PR_LAST_LOGON_TIME and PR_LAST_LOGOFF_TIME properties on the mailbox itself, as that should get updated when the user logs on into the mailbox.

(My Question) - can the PR_LAST_LOGON_TIME and PR_LAST_LOGOFF_TIME fields be polled via a script?

(Response)
Well, seeing that those are in the information store, you'd have to use some interface (like DAV, MAPI etc) to access this from each mailbox. There is probably a script out there that does this and I bet someone needed it before!

For Exchange 2007, we have this built in within the get-mailboxstatistics CMDlet:
http://www.microsoft.com/technet/prodtechnol/exchange/e2k7help/cec76f70-941f-4bc9-b949-35dcc7671146.mspx?mfr=true
[/quote]

Author: AdamVLocation: Leeds, UK PostPosted: Thu Jan 04, 2007 11:29 am    Post subject:
    ----
Thanks for the clarification, it's good when people come back with answers they find elsewhere, rather than leaving threads hanging without closure.

It seems my rather woolly reply was right, albeit not specific enough to be helpful in finding the actual exchange property to look for.

Author: )shArk>Location: USA PostPosted: Thu Jan 04, 2007 6:57 pm    Post subject:
    ----
AdamV wrote:
Thanks for the clarification, it's good when people come back with answers they find elsewhere, rather than leaving threads hanging without closure.

It seems my rather woolly reply was right, albeit not specific enough to be helpful in finding the actual exchange property to look for.


True that- I hate leaving hanging threads and I always try to post updates and solutions as I find them- Especially on my own questions.
[rant] Forum posters should try to keep in mind that it is equally important to post a solution to your question if found. The posted help questions always bring in other readers seeking an answer, and it's kind of lame if the thread stops just short of of the fix Smile [/rant].
One simple posted answer can help countless others.



Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group