Query Logon-Count in Active Directory

Pash · October 2009

Hi,

Guys I am just wondering if anyone would know how to query "logon-count" in Active Directory? I know this attribute is not replicated amongst domain controllers in a domain. I need to be able to lock an AD account if a certant amount of logins has been attempted.

I guess my pseudo code is:-

Find all Domain controllers in Domain;

Query each Domain controller;

Get Logon-Count number from each domain controller for user x;

Add values of each query together;

If total logon-count value > allow logon attempts - Lock user x account;

reset logon count info;

else no action;

Anyone done this before?

Pash

Hyper-Me · October 2009

You are trying to lock out a user that has valid credentials after a certain amount of valid logons?

Why would you need to do this?

Does logon hours, restricting the user to certain machines or a PSO (if server 0

not suffice?

RobertKaucher · October 2009

Are you talking about invalid logon attempts? This can be done in AD via a GPO.

Implementing and Troubleshooting Account Lockout

No need for scripting.

Pash · October 2009

nope, literally when the correct logon credentials are entered x times, the account locks out, these will be limited accounts if you like.

mrmcmint · October 2009

I understand what you are trying to do, just can't quite understand why you would want to limit someone to the amount of times they can log in.

Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

At this point you will need a VB script to query the logon count of a user and proceed to lock out the account if the logon count reaches a specified value.

This is the only way I can think of doing it.

HTH

kalebksp · October 2009

It doesn't look like it would be too hard to combine these two scripts to do what you want:

Hey, Scripting Guy! Blog : Hey, Scripting Guy! How Can I Get a List of Domain Controllers in My Domain? (Part 1)
Hey, Scripting Guy! Blog : How Can I Count the Number of Times a User has Logged on to a Computer?

Pash · October 2009

cheers for the reponses fella's. I am still looking at it, I wanted to whack something together in powershell but I have been busy trying to fix stuff all of today.

RobertKaucher · October 2009

Pash, when you are done, make sure you share the script.

HeroPsycho · October 2009

mrmcmint wrote: »

Anyway... I guess the only way to do this (and it will involve a script) is to start by registering c:\program files\Windows Resource Kits\Tools\acctinfo.dll (assuming you have RKTools installed).

Once you have done this you should see an additional tab in AD under the user account properties called Additional Account Info. This contains the logon count of the user in question. Unfortunately, you can't do a search in AD and double click the users name to get this tab, you need to manually go through the hierarchy in AD and double click their username.

You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

To see the number of logins for a user using the quest ad cmdlets on a domain controller:

connect-qadservice -service dc.domain.com

get-qaduser "username" -includedproperties logoncount | select logoncount

That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.

Pash · October 2009

HeroPsycho wrote: »

You don't need that DLL registered. It just exposes the number of times an account logged in within ADUC. That count is stored in Active Directory regardless.

To see the number of logins for a user using the quest ad cmdlets on a domain controller:

connect-qadservice -service dc.domain.com

get-qaduser "username" -includedproperties logoncount | select logoncount

That might help you get started. Set variables for the logoncount for each DC, a variable of the sum of those values, and a conditional if that says when over a certain number, lock the account.

You are a superstar.

Once I am done I will post the script.

apena7 · October 2009

Instead of automatically deactivating the account after 5 successful logins, how about automatically deactivating after 5 days (or however long you need it)? Also, if someone locks their computer (Windows key + L), takes a break, and then logs back into the workstation, will that count against their limit?

HeroPsycho · October 2009

Pash · October 2009

HeroPsycho wrote: »

She is hot.

Query Logon-Count in Active Directory

Comments