I have a security requirement that after my application logs in a user, it should display the date and time of the user's most recent previous login. The Active Directory replicated "lastLogonTimeStamp" value is nowhere close to what is needed, so I wrote some code inspired from http://bit.ly/nf3wbM where I search the user in each domain controller in the domain, grab the "lastLogon" value and retain the maximum value. This value appears to be accurate.
The bad news is that my code found 100+ domain controllers and it takes 13 minutes to look up the user on all of them. I've logged into my own account and from debugging my code I have noticed that I have previously logged in to only 55 of those domain controllers. To make things more interesting, only 7 of those domain controllers show login times from today and my "logonCount" on those 7 domain controllers is above 1000 while on the other ones is in the single digits. If I alter my code to look up my account only on those 7 domain controllers, I can determine my most recent login time in under 7 seconds which is an acceptable performance.
The question I have to the community is what makes those 7 domain controllers special and how should I go about having my code look up the login stats only on those?
Thank you, eugen
Best Answer
Are you looking to track Windows logins, or just logins to your application?
Tracking for Windows logins got a lot easier with 2008, if that's what you're looking for:
Enable global tracking of last logon timestamp data; set this in a group policy that applies to your DCs (don't apply it to workstations without being aware of the caveats; this policy will prevent login for a system disconnected from the network):
Then, the
msDS-LastSuccessfulInteractiveLogonTimeattribute will have consistent data replicated across the domain.If you're looking to track just application logins, consider tracking the data in a schema attribute that you just write into yourself on a successful login.