Query Logon-Count in Active Directory

Hi,

Guys I am just wondering if anyone would know how to query "logon-count" in Active Directory? I know this attribute is not replicated amongst domain controllers in a domain. I need to be able to lock an AD account if a certant amount of logins has been attempted.

I guess my pseudo code is:-

Find all Domain controllers in Domain;

Query each Domain controller;

Get Logon-Count number from each domain controller for user x;

Add values of each query together;

If total logon-count value > allow logon attempts - Lock user x account;

reset logon count info;

else no action;

Anyone done this before?

Pash

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Hyper-Me

You are trying to lock out a user that has valid credentials after a certain amount of valid logons?

Why would you need to do this?

Does logon hours, restricting the user to certain machines or a PSO (if server 0

not suffice?

RobertKaucher

Are you talking about invalid logon attempts? This can be done in AD via a GPO.

Implementing and Troubleshooting Account Lockout

No need for scripting.

Pash

nope, literally when the correct logon credentials are entered x times, the account locks out, these will be limited accounts if you like.

mrmcmint

I understand what you are trying to do, just can't quite understand why you would want to limit someone to the amount of times they can log in.

Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

At this point you will need a VB script to query the logon count of a user and proceed to lock out the account if the logon count reaches a specified value.

This is the only way I can think of doing it.

HTH

kalebksp

It doesn't look like it would be too hard to combine these two scripts to do what you want:

Hey, Scripting Guy! Blog : Hey, Scripting Guy! How Can I Get a List of Domain Controllers in My Domain? (Part 1)
Hey, Scripting Guy! Blog : How Can I Count the Number of Times a User has Logged on to a Computer?

Pash

cheers for the reponses fella's. I am still looking at it, I wanted to whack something together in powershell but I have been busy trying to fix stuff all of today.

RobertKaucher

Pash, when you are done, make sure you share the script.

HeroPsycho

mrmcmint wrote: »

Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

To see the number of logins for a user using the quest ad cmdlets on a domain controller:

connect-qadservice -service dc.domain.com

get-qaduser "username" -includedproperties logoncount | select logoncount

That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.

Pash

HeroPsycho wrote: »

You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

To see the number of logins for a user using the quest ad cmdlets on a domain controller:

connect-qadservice -service dc.domain.com

get-qaduser "username" -includedproperties logoncount | select logoncount

That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.

You are a superstar.

Once I am done I will post the script.

apena7

Instead of automatically deactivating the account after 5 successful logins, how about automatically deactivating after 5 days (or however long you need it)? Also, if someone locks their computer (Windows key + L), takes a break, and then logs back into the workstation, will that count against their limit?

HeroPsycho

Pash

HeroPsycho wrote: »

She is hot.