Options

Query Logon-Count in Active Directory

PashPash Member Posts: 1,600 ■■■■■□□□□□
Hi,

Guys I am just wondering if anyone would know how to query "logon-count" in Active Directory? I know this attribute is not replicated amongst domain controllers in a domain. I need to be able to lock an AD account if a certant amount of logins has been attempted.

I guess my pseudo code is:-

Find all Domain controllers in Domain;

Query each Domain controller;

Get Logon-Count number from each domain controller for user x;

Add values of each query together;

If total logon-count value > allow logon attempts - Lock user x account;

reset logon count info;

else no action;

Anyone done this before?

Pash
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • Options
    Hyper-MeHyper-Me Banned Posts: 2,059
    You are trying to lock out a user that has valid credentials after a certain amount of valid logons?

    Why would you need to do this?

    Does logon hours, restricting the user to certain machines or a PSO (if server 0icon_cool.gif not suffice?
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Are you talking about invalid logon attempts? This can be done in AD via a GPO.

    Implementing and Troubleshooting Account Lockout

    No need for scripting.
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    nope, literally when the correct logon credentials are entered x times, the account locks out, these will be limited accounts if you like.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Options
    mrmcmintmrmcmint Member Posts: 492 ■■■□□□□□□□
    I understand what you are trying to do, just can't quite understand why you would want to limit someone to the amount of times they can log in.

    Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

    Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

    At this point you will need a VB script to query the logon count of a user and proceed to lock out the account if the logon count reaches a specified value.

    This is the only way I can think of doing it.

    HTH
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    cheers for the reponses fella's. I am still looking at it, I wanted to whack something together in powershell but I have been busy trying to fix stuff all of today.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Pash, when you are done, make sure you share the script.
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    mrmcmint wrote: »
    Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

    Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

    You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

    To see the number of logins for a user using the quest ad cmdlets on a domain controller:

    connect-qadservice -service dc.domain.com

    get-qaduser "username" -includedproperties logoncount | select logoncount

    That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.
    Good luck to all!
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    HeroPsycho wrote: »
    You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

    To see the number of logins for a user using the quest ad cmdlets on a domain controller:

    connect-qadservice -service dc.domain.com

    get-qaduser "username" -includedproperties logoncount | select logoncount

    That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.

    You are a superstar.

    Once I am done I will post the script.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Options
    apena7apena7 Member Posts: 351
    Instead of automatically deactivating the account after 5 successful logins, how about automatically deactivating after 5 days (or however long you need it)? Also, if someone locks their computer (Windows key + L), takes a break, and then logs back into the workstation, will that count against their limit?
    Usus magister est optimus
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    26399M.jpg
    Good luck to all!
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    HeroPsycho wrote: »
    26399M.jpg

    She is hot.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Sign In or Register to comment.