The lastLogoff attribute
Active Directory contains an attribute named lastLogoff alongside the lastLogon attribute. However unlike lastLogon the lastLogoff attribute is not written too and doesn’t appear to be used by Active Directory running on Windows 2000 or Windows Server 2003 Server. Microsoft have plans to use this attribute at a future date in the mean time we can use the solution described below.
Recording users last logoff time
One solution is to store a users last log off time in another attribute which you can easily read using Active Directory Users and Computers and True Last Logon.
When a user logs off a domain connected computer we can store the date and time in an unused Active Directory attribute. We can do this by running a script when the user logs off (download lastLogoff.vbs script).
When the script runs it uses the credentials of the user that is logged on (well logging off), by default a user has permission to update certain attributes within their Active Directory user object, some of these attributes are listed below. Whilst Active Directory does have an attribute named ‘lastLogoff’ unfortunatley this attribute is read-only so we can’t use this so we need to store the last logoff date and time in an attribute we can use.
How it works
- Use the lastLogoff.vbs script to populate a chosen attribute with the date and time the user logged off.
- Edit the script so that date is being stored in an attribute you aren’t currently using (see list below).
- Assign the script to run at logoff using Group Policy.
- Add the attribute to True Last Logon by clicking on the ‘Add/Remove Columns’ button.
- When True Last Logon queries user accounts the last logoff date and time will be retrieved.
Attributes list The last logoff date can be stored in one of the following attributes.
General Tab telephoneNumber wWWHomePage url
Address Tab streetAddress postOfficeBox l (City) st (State) postalCode
Telephone Tab info (Notes, found on the Address tab) homePhone otherHomePhone pager otherPager mobile otherMobile facsimileTelephoneNumber otherFacsimileTelephoneNumber ipPhone otherIpPhone
The script (lastLogoff.vbs)Download lastLogoff.vbs
‘Saves users logoff date and time ‘Use Group Policy to run the script when users logs off.
ON ERROR RESUME NEXT
Set objSysInfo = CreateObject(“ADSystemInfo”) strUser = objSysInfo.UserName
Set objUser = GetObject(“LDAP://” & strUser) strlogoffTime = Cstr(Now)
‘The logoff time needs to be stored in an unsed attribute ‘Select one attribute from the list below and uncomment that line.
‘objUser.info = strlogoffTime
‘objUser.telephoneNumber = strlogoffTime
‘objUser.url = strlogoffTime
‘objUser.wWWHomePage = strlogoffTime
‘objUser.streetAddress = strlogoffTime
‘objUser.postOfficeBox = strlogoffTime
‘objUser.l = strlogoffTime
‘objUser.st = strlogoffTime
‘objUser.postalCode = strlogoffTime
‘objUser.homePhone = strlogoffTime
‘objUser.otherHomePhone = strlogoffTime
‘objUser.pager = strlogoffTime
‘objUser.otherPager = strlogoffTime
‘objUser.mobile = strlogoffTime
‘objUser.otherMobile = strlogoffTime
‘objUser.facsimileTelephoneNumber = strlogoffTime
‘objUser.otherFacsimileTelephoneNumber = strlogoffTime
‘objUser.ipPhone = strlogoffTime
‘objUser.otherIpPhone = strlogoffTime