Options
Query Logon-Count in Active Directory
Hi,
Guys I am just wondering if anyone would know how to query "logon-count" in Active Directory? I know this attribute is not replicated amongst domain controllers in a domain. I need to be able to lock an AD account if a certant amount of logins has been attempted.
I guess my pseudo code is:-
Find all Domain controllers in Domain;
Query each Domain controller;
Get Logon-Count number from each domain controller for user x;
Add values of each query together;
If total logon-count value > allow logon attempts - Lock user x account;
reset logon count info;
else no action;
Anyone done this before?
Pash
Guys I am just wondering if anyone would know how to query "logon-count" in Active Directory? I know this attribute is not replicated amongst domain controllers in a domain. I need to be able to lock an AD account if a certant amount of logins has been attempted.
I guess my pseudo code is:-
Find all Domain controllers in Domain;
Query each Domain controller;
Get Logon-Count number from each domain controller for user x;
Add values of each query together;
If total logon-count value > allow logon attempts - Lock user x account;
reset logon count info;
else no action;
Anyone done this before?
Pash
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
Options
Hyper-Me Banned Posts: 2,059
You are trying to lock out a user that has valid credentials after a certain amount of valid logons?
Why would you need to do this?
Does logon hours, restricting the user to certain machines or a PSO (if server 0not suffice?
-
Options
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■
Are you talking about invalid logon attempts? This can be done in AD via a GPO.
Implementing and Troubleshooting Account Lockout
No need for scripting. -
Options
Pash Member Posts: 1,600 ■■■■■□□□□□
nope, literally when the correct logon credentials are entered x times, the account locks out, these will be limited accounts if you like.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Options
mrmcmint Member Posts: 492 ■■■□□□□□□□
I understand what you are trying to do, just can't quite understand why you would want to limit someone to the amount of times they can log in.
Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).
Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.
At this point you will need a VB script to query the logon count of a user and proceed to lock out the account if the logon count reaches a specified value.
This is the only way I can think of doing it.
HTH -
Options
kalebksp Member Posts: 1,033 ■■■■■□□□□□
It doesn't look like it would be too hard to combine these two scripts to do what you want:
Hey, Scripting Guy! Blog : Hey, Scripting Guy! How Can I Get a List of Domain Controllers in My Domain? (Part 1)
Hey, Scripting Guy! Blog : How Can I Count the Number of Times a User has Logged on to a Computer? -
Options
Pash Member Posts: 1,600 ■■■■■□□□□□
cheers for the reponses fella's. I am still looking at it, I wanted to whack something together in powershell but I have been busy trying to fix stuff all of today.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Options
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■
Pash, when you are done, make sure you share the script. -
Options
HeroPsycho Inactive Imported Users Posts: 1,940
Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).
Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.
You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.
To see the number of logins for a user using the quest ad cmdlets on a domain controller:
connect-qadservice -service dc.domain.com
get-qaduser "username" -includedproperties logoncount | select logoncount
That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.Good luck to all! -
Options
Pash Member Posts: 1,600 ■■■■■□□□□□
HeroPsycho wrote: »You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.
To see the number of logins for a user using the quest ad cmdlets on a domain controller:
connect-qadservice -service dc.domain.com
get-qaduser "username" -includedproperties logoncount | select logoncount
That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.
You are a superstar.
Once I am done I will post the script.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Options
apena7 Member Posts: 351
Instead of automatically deactivating the account after 5 successful logins, how about automatically deactivating after 5 days (or however long you need it)? Also, if someone locks their computer (Windows key + L), takes a break, and then logs back into the workstation, will that count against their limit?Usus magister est optimus -
Options
Pash Member Posts: 1,600 ■■■■■□□□□□
HeroPsycho wrote: »
She is hot.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.