How To: Check if workstations are still active

There are a number of different ways to check if an AD domain join workstation is still being used or active in the environment.   This article provides a couple of different approaches depending on the number of workstations or type of information required. All approaches are based on the standard assumption that an active workstation will update the pwdlastset, lastlogon, lastlogontimestamp attributes while connected to the domain\network.

Which attribute you use to validate if the workstation is still active will depend on the configuration of the AD:

PwdLastSet – this will change each time the workstation changes it’s password and this change is replicated to all domain controllers, so the time reported by one domain controller will be the same on all.  The frequency at which the password is changed is controlled by the Domain Member: Maximum machine account password age and Domain Member: Disable machine account password changes, GPO settings.  The default maximum password age is 30 days, however, if the password update is disabled, then the PwdLastSet attribute will not changed.  Also in some scenarios if the workstation is used remotely, and not connected to the network for long periods of time, then the pwdlastset will not be updated.

LastLogon – this is the last time that the workstation logged on, however, this attribute is not replicated between domain controllers and you have to retrieve the attribute from all the domain controllers to get the last logon time.  As with the PwdLastSet attribute, if the workstation is used remotely for long periods of time, this attribute may not be updated.

LastLogonTimeStamp -  this attributes is also replicated between domain controllers, however, the replication of this attribute doesn’t happen every time the workstation logs on, by default it will be updated every 14 days, details here , so if 14 days is close enough then this is the best attribute to use.

Single Workstation:

The quickest method is search for the workstation using the Search option under Users to find the workstation’s object in AD, from there right click on the required workstation and from the context menu, select Use With -> Last Logon.  All three attributes are displayed in the one view. The Last Logon column displays the lastlogon attribute from each of the domain controllers in the domain, sorting this column to display the last logon time, the lastlogontimestamp and pwdlastset will be the same across all servers.

Another method to check for activity, but not specifically based on the lastlogon attribute, you can use the object Meta Data to get the list of attributes that have been changed, and then compare the time the changes were made to confirm if the workstation is still active.  To display the Meta Data for an object, complete the search as describe above, from the context menu, select Meta Data, and then sort the form based on the time column. The attributes that are relevant are dBCsPwd, lmPwdHistory, ntPwdHistory, pwdLastSet, supplementalCredentials, unicodePwd which are updated when a password is updated.

Multiple Workstations:

If you want to check the details of a number of workstations, the Last Logon Time option is the easiest option to use.  This option requires a list of samaccountnames of the workstation, with workstations the samaccountname must include the trailing $ character.  Once the list is pasted into the right hand pane, and Go pressed, it will check each entry against all the domain controllers in the domain and it will display the latest time recorded against all the domain controllers.

If you require additional information about the workstations other than the lastlogon details, then the LDAP Search is the best option, the save query below uses Input Mode to return the details, you paste a list of workstations into the Input pane and return any information you require about the workstations, include Operating System, Version, etc.

[Active Workstations]
Options=879892770722397
Server=
BaseDN=##default
Filter=(&(objectclass=computer)(samaccountname=##input))
Attributes=lastLogon,lastLogonTimestamp,operatingSystem,operatingSystemVersion
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

In this example it assumes that the workstation SamAccountNames will have the trailing $, however, changing the filter to the following and the trailing $ is not required:

Filter=(&(objectclass=computer)(samaccountname=##input$))

Related Items

Troubleshooting Account Lockouts
User Search
LDAP Search
Input Mode
Favorites

LDAP Search – Base DN Formats

Active Directory support a number of different formats for the Base DN field, these are Distinguished Name, GUID and SID 

Distinguished Name is based on RFC 4514 e.g. CN=user1,CN=users,DC=domain,DC=com

GUID provides the GUID of an object which will be used as the base for searches, i.e <GUID=01f04883-d68e-4367-8ad1-a2faa79a2e5a>

SID format is the same as GUID but the entry is based on a SID i.e. <SID=S-1-5-21-2816452191-2840564649-4223122534-1000>

The SID and GUID option with the Search Scope set to Base Level can be used as quick search for users or other objects in the AD based on the GUID or SID.  The SIDs and GUIDs are entered in standard readable format.

How To: Search for multiple users based on email address

This article show how to create an LDAP query that can be used to search for users based on an email or UPN.  The query uses Input Mode to allow a list of email\UPN to be searched at one time.  It will search for the user's email address in the mail, UPN and proxyaddresses attributes.

You will notice in the filter that the proxyaddresses section of search includes SMTP: in the filter, this is to ensure that only smtp entries are returned, but also to improve the performance of the search, rather than using wildcards.

Here is the Favorite, see Favorites for details on how to import this query into NetTools.

[User Mail Search]
Options=879892770722397
Server=
BaseDN=##default
Filter=(&(objectclass=user)(|(userPrincipalName=##input)(mail=##input)(proxyaddresses=stmp:##input)))
Attributes=displayname, userAccountControl,accountExpires, lastlogontimestamp
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Once the query has been imported and selected, paste a list of email addresses into the table view and click Go.

Related Items:

LDAP Search Options
Input Mode
Favorites
Saved Favorites

 

How To: Display the properties of the members of a group

This articles explains how to use the ASQ server side control to return the display name and email address of all the members of a specific group.

First go to the Search option under Users in the left hand pane, deselect the Return Users Only option, and then enter the name of the group in the username field, click Go.

Select the required group from the list of returned results and then right click on the item, from the context menu, select Use With -> LDAP Search.  This will populate the LDAP Search option with the details of the group.

Click on the More button, In the Server Side controls section, select the Attribute Scope Query option, and set the Search Scope to Base Level.

In the Attributes field enter, ‘Member, displayname, mail’ and click Go.

In this example we are only returning the display name and email address for the members, however, you can specify any of the user’s attributes you want to display, they just need to be added to the Attributes list.

With this example we don’t specifying which objects to return, we can restrict the results to only user accounts, by changing the filter to (objectclass=user) or (objectclass=group) to only return the groups that are members.

[Search]
Options=879892770981453
Server=NULL
BaseDN=
Filter=(objectclass=*)
Attributes=Member, displayname, mail
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Related items:

ASQ details
User Search
LDAP Search - Options
LDAP Favorties

LDAP Search – Enums

NetTools includes over 50 predefined enumeration to decode the values assigned to specific attributes, these include the definitions of associated values assigned to the attributes. An example would be the UserAccountControl attribute, which is shown below. To display the Enums dialog, click on the button at the end of the filter field.

The dialog can be used to browse the predefined entries and from the context menus, the values can then be used in filters.

There are two type of Enums defined in NetTools, Bit and Value.  The Bit enums are used for attributes that use a bit mask to define the function of the attribute, and a single bit in the value is used to represent an enabled or disabled state of an option.  The Value type is used for attributes that have a single value to represent the function.

The Enums are used by attributes that have the ATTRIBENUM or ATTRIBENUM_NONUM decode type assigned, the attribute name is then used to lookup the corresponding enums assigned to that attribute.  Currently there is no method for a user to add additional Enum to NetTools, they are statically defined in the program. 

How To: Display deleted objects

By default, objects deleted in Active Directory are not visible.  NetTools provides the ability to quickly and easily to display deleted and recycled objects.  From the LDAP Search click on the More button to display the Advanced options, select the Deleted and Recycled objects options.

Deleted

With these options selected, queries will include the Deleted Objects contain in searches.  Also with these options selected the LDAP Browser, and OU Selector will display the Deleted Objects Container.

To use these server side controls the user context that runs the query or browsing the directory, must have administrator rights.  You can use the Credentials option to specify a user context that has rights.

Related Items:

LDAP Search - Options
LDAP Search
LDAP Browser

LDAP Search – Credentials

Note: The Credentials option was deprecated in version 1.28.0 and replaced with Connection Profiles

LDAP Search provides the ability to specific the credentials under which a query will be executed, it also provides the ability to select the authentication method that will be used to pass the credentials to the server.

The Credentials dialog is found when the More button is pressed.

credentials

There are nine different authentication methods available:

LDAP_AUTH_SIMPLE, this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST, Digest authentication package
LDAP_AUTH_DPA, Distributed password authentication. Used by Microsoft Membership System
LDAP_AUTH_MSN, Microsoft Network Authentication Service
LDAP_AUTH_NTLM, this method uses NTLM to authenticate against the directory
LDAP_AUTH_SICILY, covers package negotiation to MSN servers
LDAP_AUTH_DIGEST, this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE, this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS, the username and password are not required.

See the following MS Article for more details ldap_bind_s

Warning: With the simple bind method the password is sent in clear text to the server, you should use this method in association with an SSL based connection to protect the password.

The default behavior of NetTools is use the negotiate method, when connecting to an Active Directory, you don't need to provide any credentials, the current user's context will be used based on Kerberos authentication.

A number of other options in NetTools use the credentials provided in this dialog to run the option under a different or elevated set of credentials, this is shown as Use the LDAP Search Credentials.

Copy to new Window

The Copy to new Window context menu, provides the ability to copy the results from the current output pane in NetTools to a new separate detached window.  The new window provides the ability to sort and filter the view based on a number of selection criteria.

By right clicking on the column headers, the filter dialog box will be displayed.  This allows the entries in the column to be filtered based on a text filter or a contents selection.  You can select a text or context filter, or both.

filter

The Text Filter provides the following filter options:

      • Equals
      • Does not Equal
      • Begins With
      • Does not begin with
      • Ends with
      • Does not end with
      • Contains
      • Does not contain

The Column Filter section displays all the unique items in the column, using the check boxes you can select which items will be displayed. 

When a column filter is applied the heading of the column to appended with the text '- (filtered)'.  The Clear All button, will remove all the filters that have been applied. 

The filter function support up to a maximum of 200 columns, if the output field contains more than 200 columns, a warning message is displayed and filtering option is disabled.

LDAP Search – LDAP Filter Wizard

The LDAP Filter Wizard provides the ability to display and edit LDAP filters in a hierarchical view. 

The LDAP Filter Wizard provides the following features:

      • Drag and drop to move items around
      • Insert new operators and conditions
      • Change existing operators and conditions
      • Selection of classes and Attributes from dropdown list

The Operators, AND, OR, NOT, and Filter, have a dual function, one to show the operation of the currently selected item, and two to select the operation for the New and Change operations.  When the New Parent, or New Child buttons are pressed the new item will be added based on the selected Operator.  When the Change button is pressed the selected item will change to the selected Operator.  With the Filter Operator you can select the required attribute or class from the dropdown list, additional text can be added to complete the condition before the items is added.

The Delete Button will delete all items under the selected item.  If you wish to preserve any of the items under the selected items, they must be moved to another point in the filter before the item is deleted.

If you click twice on an items in the hierarchical view, it will allow you to edit the details of the item.

The MS LDAP API and NetTools will accept fully compliant RFC4515 Not statements or the abbreviated alternative.  With RFC4515 the Not statement must be constructed as such (!(condition)) i.e. (!(objectclass=user)), while the MS LDAP API will accept the abbreviated form of (!condition) i.e. (!objectclass=user).  When the RFC4515 option is selected the wizard will return compliant Not statements.  The LDAP Filter Wizard is able to read both formats.

The example shown is using a number of the substitution options, see LDAP Search Substitution

LDAP Search – Static DecodeTypes

NetTools defines a number attributes with of static DecodeTypes, this is the list of attributes that have been defined.  The internal constant is used in the list, this maps as DYN_DECODE_GUID to GUID in the attribute Decode list.   See DecodeTypes for more information

Atrtibute Assign DecodeType
accountExpires DYN_DECODE_64TIME
aelita-Amm-SourceGUID DYN_DECODE_GUID
aelita-Amm-SourceSID DYN_DECODE_SID
aelita-Amm-TargetGUID DYN_DECODE_GUID
aelita-Amm-TargetSID DYN_DECODE_SID
attributeCertificateAttribute DYN_DECODE_CERT
attributeSecurityGUID DYN_DECODE_GUID
attributeSyntax DYN_DECODE_ATTRIBENUM
auditPolicy DYN_DECODE_BINARY
badpasswordtime DYN_DECODE_64TIME
cacertificate DYN_DECODE_CERT
certificateRevocationList DYN_DECODE_CRL
createtimestamp DYN_DECODE_GTFTIME
creationtime DYN_DECODE_64TIME
crossCertificatePaie DYN_DECODE_CERT
currenttime DYN_DECODE_GTFTIME
deltaRevocationList DYN_DECODE_CRL
dnsproperty DYN_DECODE_BINARY
dnsrecord DYN_DECODE_DNSRECORD
domainControllerFunctionality DYN_DECODE_ATTRIBENUM
domainFunctionality DYN_DECODE_ATTRIBENUM
dsasignature DYN_DECODE_BINARY
dSASignature DYN_DECODE_DSA_SIG
dSCorePropagationData DYN_DECODE_GTFTIME
ForceLogoff DYN_DECODE_ATTRIBENUM
forestFunctionality DYN_DECODE_ATTRIBENUM
gpoptions DYN_DECODE_ATTRIBENUM
grouptype DYN_DECODE_ATTRIBENUM
IndSS-ActualDate DYN_DECODE_64DATE_UTC
IndSS-PlannedDate DYN_DECODE_64DATE_UTC
IndSS-TaskLastRun DYN_DECODE_64TIME_UTC
instancetype DYN_DECODE_ATTRIBENUM
Invocationid DYN_DECODE_GUID
lastLogon DYN_DECODE_64TIME
lastLogonTimestamp DYN_DECODE_64TIME
lockoutDuration DYN_DECODE_PWDSEC
lockOutObservationWindow DYN_DECODE_PWDSEC
lockoutTime DYN_DECODE_64TIME
lockoutTime DYN_DECODE_64TIME
maxPwdAge DYN_DECODE_PWDSEC
minPwdAge DYN_DECODE_PWDSEC
minPwdAge DYN_DECODE_PWDSEC
modifytimestamp DYN_DECODE_GTFTIME
msDFS-TargetListv2 DYN_DECODE_UNICODE
msds-behavior-version DYN_DECODE_ATTRIBENUM
mS-DS-ConsistencyGuid DYN_DECODE_GUID
msDS-LockoutDuration DYN_DECODE_PWDSEC
msDS-LockoutObservationWindow DYN_DECODE_PWDSEC
msds-ManagedPassword DYN_DECODE_GMSAPWD
msDS-ManagedPasswordId DYN_DECODE_GMSAPWDID
msDS-ManagedPasswordPreviousId DYN_DECODE_GMSAPWDID
msDS-MaximumPasswordAge DYN_DECODE_PWDSEC
msDS-MinimumPasswordAge DYN_DECODE_PWDSEC
msDS-ReplAttributeMetaData DYN_DECODE_META
msDS-ReplValueMetaData DYN_DECODE_METAV
msDS-RequiredForestBehaviorVersion DYN_DECODE_ATTRIBENUM
msDS-RequiredDomainBehaviorVersion DYN_DECODE_ATTRIBENUM
msds-SupportedEncryptionTypes DYN_DECODE_ATTRIBENUM
msDS-TrustForestTrustInfo DYN_DECODE_MSTRUST
msds-user-account-control-computed DYN_DECODE_ATTRIBENUM
msDS-UserPasswordExpiryTimeComputed DYN_DECODE_64DATE_UTC
msExchArchiveGUID DYN_DECODE_GUID
msExchMailboxGuid DYN_DECODE_GUID
msExchMailboxSecurityDescriptor DYN_DECODE_SD
msExchMasterAccountSid DYN_DECODE_SID
msExchOMAAdminWirelessEnable DYN_DECODE_ATTRIBENUM
msExchModerationFlags DYN_DECODE_ATTRIBENUM
msExchRecipientDisplayType DYN_DECODE_ATTRIBENUM
msExchRecipientTypeDetails DYN_DECODE_ATTRIBENUM
msExchRemoteRecipientType DYN_DECODE_ATTRIBENUM
msExchSafeSendersHash DYN_DECODE_BINARY
msexchuseraccountcontrol DYN_DECODE_ATTRIBENUM
msFVE-KeyPackage DYN_DECODE_BINARY
msFVE-VolumeGuid DYN_DECODE_GUID
msFVE-RecoveryGuid DYN_DECODE_GUID
msKds-CreateTime DYN_DECODE_64TIME
msKds-KDFParam DYN_DECODE_BINARY
msKds-RootKeyData DYN_DECODE_BINARY
msKds-SecretAgreementParam DYN_DECODE_BINARY
msKds-UseStartTime DYN_DECODE_64TIME
ms-Mcs-AdmPwdExpirationTime DYN_DECODE_64DATE_UTC
msMQDigests DYN_DECODE_BINARY
mSMQSignCertificates DYN_DECODE_BINARY
mspki-certificate-name-flag DYN_DECODE_ATTRIBENUM
mspki-enrollment-flag DYN_DECODE_ATTRIBENUM
mspki-private-key-flag DYN_DECODE_ATTRIBENUM
msrtcsip-archivedefaultflags DYN_DECODE_ATTRIBENUM
msrtcsip-archivingenabled DYN_DECODE_ATTRIBENUM
msrtcsip-archivingserverversion DYN_DECODE_ATTRIBENUM
msrtcsip-enablefederation DYN_DECODE_ATTRIBENUM
msrtcsip-meetingflags DYN_DECODE_ATTRIBENUM
msrtcsip-optionflags DYN_DECODE_ATTRIBENUM
msRTCSIP-OriginatorSid DYN_DECODE_SID
msrtcsip-poolfunctionality DYN_DECODE_ATTRIBENUM
msrtcsip-pooltype DYN_DECODE_ATTRIBENUM
msrtcsip-poolversion DYN_DECODE_ATTRIBENUM
msrtcsip-serverversion DYN_DECODE_ATTRIBENUM
msrtcsip-sourceobjecttype DYN_DECODE_ATTRIBENUM
msrtcsip-trustedserverversion DYN_DECODE_ATTRIBENUM
msrtcsip-ucflags DYN_DECODE_ATTRIBENUM
msRTCSIP-UserRoutingGroupId DYN_DECODE_GUID
mSSMSRangedIPHigh DYN_DECODE_IP_W
mSSMSRangedIPLow DYN_DECODE_IP_W
ntmixeddomain DYN_DECODE_ATTRIBENUM
ntsecuritydescriptor DYN_DECODE_SD
objectclasscategory DYN_DECODE_ATTRIBENUM
ObjectGUID DYN_DECODE_GUID
ObjectSID DYN_DECODE_SID
omobjectclass DYN_DECODE_BEROID
oMSyntax DYN_DECODE_ATTRIBENUM
pkidefaultkeyspec DYN_DECODE_ATTRIBENUM
pkiexpirationperiod DYN_DECODE_PERIOD
pkikeyusage DYN_DECODE_ATTRIBENUM
pkioverlapperiod DYN_DECODE_PERIOD
pktGUID DYN_DECODE_GUID
pwdLastSet DYN_DECODE_64TIME
pwdproperties DYN_DECODE_ATTRIBENUM_NONUM
replPropertyMetaData DYN_DECODE_METAP
repluptodatevector DYN_DECODE_BINARY
replUpToDateVector DYN_DECODE_REPL_UTDV
repsfrom DYN_DECODE_BINARY
repsfrom DYN_DECODE_REPSINFO
repsto DYN_DECODE_BINARY
repsto DYN_DECODE_REPSINFO
ridallocationpool DYN_DECODE_RIDPOOL
ridavailablepool DYN_DECODE_RIDPOOL
ridpreviousallocationpool DYN_DECODE_RIDPOOL
samaccounttype DYN_DECODE_ATTRIBENUM
schemaFlagsEx DYN_DECODE_ATTRIBENUM
schemaIDGUID DYN_DECODE_GUID
sdrightseffective DYN_DECODE_ATTRIBENUM
searchflags DYN_DECODE_ATTRIBENUM
securityIdentifier DYN_DECODE_SID
ServerState DYN_DECODE_ATTRIBENUM
sidhistory DYN_DECODE_SID
supportedcapabilities DYN_DECODE_ATTRIBENUM
supportedcontrol DYN_DECODE_ATTRIBENUM
supportedextension DYN_DECODE_ATTRIBENUM
systemflags DYN_DECODE_ATTRIBENUM
tokengroups DYN_DECODE_SID
tokenGroupsGlobalAndUniversal DYN_DECODE_SID
tokenGroupsNoGCAcceptable DYN_DECODE_SID
trustattributes DYN_DECODE_ATTRIBENUM
trustdirection DYN_DECODE_ATTRIBENUM
trusttype DYN_DECODE_ATTRIBENUM
useraccountcontrol DYN_DECODE_ATTRIBENUM
userCertificate DYN_DECODE_CERT
userparameters DYN_DECODE_BINARY
userSMIMECertificate DYN_DECODE_CERT
validaccesses DYN_DECODE_ATTRIBENUM
WhenChanged DYN_DECODE_GTFTIME
Whencreated DYN_DECODE_GTFTIME