I've been struggling to determine the best way to get reliable "last
login" data for AD users.

In Microsoft AD there are two attributes that record a "last login" and
unfortunately neither is a simple/completely good choice.

Option 1: The attribute "lastLogin" is completely accurate, but is not
replicated between AD controllers, so the value has to be read from ALL
AD controllers and the consolidated based on most recent value. - This
would be difficult to code into IDM as it would require running a driver
al ALL AD controllers which would be impractical. - one option would be
to use some other scripting engine to gather and consolidate that value,
and then make that an input into the IDM driver.

Option 2: The other attribute 'lastLoginTimestamp" is replicated around
AD, so can be read from the existing driver without significant re-work
or scripting.
The problem with this attribute is that it is very loosely synchronised
and is only fully accurate to within 14 days of the value changing -
This would be OK for identifying "never logged in" / "not logged in
recently" type logic but would not be a good trigger for more time
sensitive logic (e.g. account activation/deactivation based on

It turns out that my customer has setup a centralised Windows Event
viewer server (all the other domain controllers "send" the 4624 events
to this central server) as they are currently using that for some web
proxy /authentication solution that they are currently using.

I thought "great" that is exactly what I need. A central repositiory of
login events which has the ID and timestamp of each AD login, In a
"standard" format that should be "easy" to parse as imput data into

Then "reality" hit.... There does not appear to be a driver for reading
Windows Event logs and it's a binary file so the normal "delimited
driver" is not an option.

Does anyone have any idea how to extract "useful" data from the Windows
Event Log system????

Is there a dirver and/or a tool that can either import event directly
into IDM or can write a "readable" delimited file that the "delimted
driver" can process???

Yes I know tis is probably easy for some programming GURU, sadly I'm
not... Any help appreciated.


darrenjthompson's Profile:
View this thread: