Incorrect LastLogonTimeStamp Value of user in Active Directory - active-directory

I'm using LastLogonTimeStamp property of user in Active Directory to get the Last logon date time, Value isn't consistent,
Any one else faced same issue?
Can we trust the LastLogonTimeStamp?
Update:
It's just one Domain Controller

http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx
You would only use lastLogonTimeStamp if you have alot of domain controllers and don't need the most accurate results. With a single domain controller use the lastLogon attribute.

LastLogonTimeStamp by design only gets updated when the user logs in and the current value is between 9 and 14 days old. They did this to cut down on replication traffic in AD.
This blog posting says it well:
It is important to note that the
intended purpose of the
lastLogontimeStamp attribute to help
identify inactive computer and user
accounts. The lastLogon attribute is
not designed to provide real time
logon information. With default
settings in place the
lastLogontimeStamp will be 9-14 days
behind the current date.
If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.

Do you have a network with several DC (domain controllers)? They might be out of sync since the LastLogonTimeStamp will be updated on the DC that the user actually logs on, and synchronization might take some time.
Marc

If you ever plan to have more than one DC, then LastLogonTimeStamp may not a reliable method for determining something like whether or not an account has grown "stale", since that attribute is not replicated to other DCs in many (most?) scenarios, depending on your domain functional level.
A better method for determining this is to look at "password age" (via the PasswordLastChanged attribute). For example, if someone hasn't reset their password a week or two after it has expired (or some other time span depending on your particular environment), then there is a good chance that you have an orphaned account there.

You can't get an user's True LastLogon time neither by lastlogon or lastlogontimestamp in straight way..you need to do some custom work to get latest logon time.
By LastLogon
You need query lastlogon value from all the domain controllers and compare all values then get the highest logon time as True Last Logon
By LastLogonTimeStamp
Since it would be the replicable attribute you can query from only one DC but it will not give accurate result, it has precision around 14 days depends upon the attribute msDS-LogonTimeSyncInterval.

If you want the real last logon information for a user, you have to pull the lastLogon attribute from each domain controller in the domain and use the most recent value.
Unfortunately this isn't completely accurate. I have used the lastlogon attribute and while it IS fairly close for most user accounts I've tested with this, I've come across many that return a date in 1600, and those that are close show at times that I know for certain the specified users weren't even able to login, for instance my own LastLogon showed at 7:50am when I know I signed in at 8:15am.
Many admins seem to sometimes desire to use this information to verify compliance with company policy. Unfortunately Microsoft seems to have disregarded such intentions by design for system functionality purposes.

Related

Restrict Access for users on Leave

How to restrict access to salesforce application for the time users are on leave on basis of Leave start and end date?
Freeze user on leave start date and then unfreeze on leave end date ?
Any other automation approach ?
What exactly you want to achieve? Nightly batch job that does either of these should be enough? Not sure if you can do time-basrd workflows/processes on users.
You can (de)activate them although it's bit of a nuclear option. Other users might be impacted when they work with deactivated users' data, "operation was performed with inactive user" error.
You can (un)freeze manually or by modifying UserLogin table, each user will have 1 record in it. https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_userlogin.htm
If you want them to be able to log in but do limited set of things - you could look at your sharing rules and temp change their role/group/whatever. Or change profile to read-only. Or unassign a permission set.
Then there are more sophisticated things like maybe disabling their SSO, having a login flow that checks something on user record, checking up addresses (like allow login only from office network, not from home). You could look into "high assurance sessions", multi factor authentication (take their work phone or RSA device when they go on holidays?) or there's interesting trailhead about detecting / preventing suspicious activity. https://trailhead.salesforce.com/content/learn/modules/enhanced_transaction_security and https://trailhead.salesforce.com/en/content/learn/modules/event_monitoring

Conceptual issue: Verifying that two users are present

I'm a programmer who is about to release an intranet site where apprentices can rate their educators and vice versa. Currently the system is working as planned, however HR wants some way to verify that the users are OK with their ratings. If not, they should be able to unlock their ratings so that the other person has to re-do the rating.
Unfortunately, HR also wants to reduce the amount of logins that these users have to endure. In the worst case scenario, users have to:
Log in to rate the educator/apprentice
Log in to unlock the rating
Log in to rate the educator/apprentice again
And so on...
The user who fills the rating has to be user A, while the user who unlocks or confirms the rating has to be user B. User A can also unlock the rating if they have a correction.
This process has to be done twice - once for the educator, once for the apprentice.
There is usually only one workstation present (factory environment).
Possible solution:
My suggestion is a kind of meeting workflow. One user logs in, clicks a button in the appraisal and the workflow starts. The other user is prompted to log in. This starts a kind of "double session" with both users logged in at the same time. This is a way to verify that both of them are present in a meeting.
This process could be used for multiple ratings at the same time, guiding the users through the process one by one.
HR wants both of them to meet and discuss their ratings.
Are there any security and/or best practice concerns that I should be aware of? The system has to be ready on the first of August, so I'm really hoping to solve this issue as easily as possible. Are there better ways to do this?
It turns out that my idea of logging in two users at the same time wasn't so bad. At first, a regular user logs in and launches the meeting mode. In order to verify that the other user is present, this second user logs in. Both user's data is now stored in the session and the meeting workflow launches, guiding both of them through their appraisals. When the last appraisal is finished, the second user is logged out.
This question is solved.

Architecture tip on how to deal with Premium accounts, plan duration and renewal

I'm creating a website which has a premium user feature. I'm thinking on how to design the database to store the premium user plan, and how to check it..
My main idea so far is:
Having 2 fields on the user table: premium (boolean) and expires (date)
When user does payment, it will calculate the plan duration, set premium to 1, and the expire date to the end of the duration
Every time I check if user->isPremium(), it will also check if it's expired.. if so, set it back to zero and offer a renewal
Aside from this, all payments /transactions will be recorded in a logs table for record keeping.
This is a simple design I thought, but since this is a common feature on many websites, I thought of asking you guys how do the pros do this?
This probably won't make much difference on the design, but I'll use Stripe for handling payments.
It looks good to me. It is simple and solves your problem.
Hint 1: Depending on the semantics of your premium and expires fields, you do not need both. You can just change your user->isPremium() to check if the expires date has passed. Make sure you also change how you handle offering a renew.
Hint 2: I am working in a system that handles plan subscriptions and I had to deal with the following cases:
Permit users renew/extend the subscription before expiration date.
Different prices for different durations.
Discounts.
The delay between bill generation and payment confirmation.
Users with pending payments trying to buy again.
Users asking to cancel current subscriptions.
Hope it helps.

Get information from various sources

I'm developing an app that has to get some information from various sources (APIs and RSS) and display it to the user in near real-time.
What's the best way to get it:
1.Have a cron job to update them all accounts every 12h, and when a user is requesting one, update that account, save it to the DB and show it to the user?
2.Have a cron job to update them all accounts every 6h, and when a user is requesting one, update the account and showing it to the user without saving it to the DB?
What's the best way to get it? What's faster? And what's the most scallable?
12h or 6h, you have to do the math your self, you are the only one to know how many sources, how is your app hosted, what bandwidth you have....
Have a look at http://developmentseed.org/portfolio/managing-news it is drupal based and does what you need (and much more). You can either use it or diving in the code and see how it is done.

What is the best way to do basic View tracking on a web page?

I have a web facing, anonymously accessible, blog directory and blogs and I would like to track the number of views each of the blog posts receives.
I want to keep this as simple as possible, accuracy need only be an approximation. This is not for analytics (we have Google for that) and I dont want to do any log analysis to pull out the stats as running background tasks in this environment is tricky and I want the numbers to be as fresh as possible.
My current solution is as follows:
A web control that simply records a view in a table for each GET.
Excludes a list of known web crawlers using a regex and UserAgent string
Provides for the exclusion of certain IP Addresses (known spammers)
Provides for locking down some posts (when the spammers come for it)
This actually seems to do a pretty good job, but a couple of things annoy me. The spammers still hit some posts, thereby skewing the Views. I still have to manually monitor the views an update my list of "bad" IP addresses.
Does anyone have some better suggestions for me? Anyone know how the views on StackOverflow questions are tracked?
It sounds like your current solution is actually quite good.
We implemented one where the server code which delivered the view content also updated a database table which stored the URL (actually a special ID code for the URL since the URL could change over time) and the view count.
This was actually for a system with user-written posts that others could comment on but it applies equally to the situation where you're the only user creating the posts (if I understand your description correctly).
We had to do the following to minimise (not eliminate, unfortunately) skew.
For logged-in users, each user could only add one view point to a post. EVER. NO exceptions.
For anonymous users, each IP address could only add one view point to a post each month. This was slightly less reliable as IP addresses could be 'shared' (NAT and so on) from our point of view. The reason we relaxed the "EVER" requirement above was for this sharing reason.
The posts themselves were limited to having one view point added per time period (the period started low (say, 10 seconds) and gradually increased (to, say, 5 minutes) so new posts were allowed to accrue views faster, due to their novelty). This took care of most spam-bots, since we found that they tend to attack long after the post has been created.
Removal of a spam comment on a post, or a failed attempt to bypass CAPTCHA (see below), automatically added that IP to the blacklist and reduced the view count for that post.
If a blacklisted IP hadn't tried to leave a comment in N days (configurable), it was removed from the blacklist. This rule, and the previous rule, minimised the manual intervention in maintaining the blacklist, we only had to monitor responses for spam content.
CAPTCHA. This solved a lot of our spam problems, especially since we didn't just rely on OCR-type things (like "what's this word -> 'optionally'); we actually asked questions (like "what's 2 multiplied by half of 8?") that break the dumb character recognition bots. It won't beat the hordes of cheap labour CAPTCHA breakers (unless their maths is really bad :-) but the improvements from no-CAPTCHA were impressive.
Logged-in users weren't subject to CAPTCHA but spam got the account immediately deleted, IP blacklisted and their view subtracted from the post.
I'm ashamed to admit we didn't actually discount the web crawlers (I hope the client isn't reading this :-). To be honest, they're probably only adding a minimal number of view points each month due to our IP address rule (unless they're swarming us with multiple IP addresses).
So basically, I'm suggested the following as possible improvements. You should, of course, always monitor how they go to see if they're working or not.
CAPTCHA.
Automatic blacklist updates based on user behaviour.
Limiting view count increases from identical IP addresses.
Limiting view count increases to a certain rate.
No scheme you choose will be perfect (e.g., our one month rule) but, as long as all posts are following the same rule set, you still get a good comparative value. As you said, accuracy need only be an approximation.
Suggestions:
Move the hit count logic from a user control into a base Page class.
Redesign the exclusions list to be dynamically updatable (i.e. store it in a database or even in an xml file)
Record all hits. On a regular interval, have a cron job run through the new hits and determine whether they are included or excluded. If you do the exclusion for each hit, each user has to wait for the matching logic to take place.
Come up with some algorithm to automatically detect spammers/bots and add them to your blacklist. And/Or subscribe to a 3rd party blacklist.

Resources