The lastLogoff attribute
Active Directory contains an attribute named lastLogoff, which you would expect to store the date and time a user logs off. However, unlike the lastLogon attribute, the lastLogoff attribute is not written too and doesn’t appear to be used. Maybe Microsoft has plans to use this attribute at a future date in the meantime we can use the solution described below to obtain a useful logoff time.
Recording users last logoff time
The solution is to store the date and time a user logs off in another attribute. Unfortunately, the lastLogoff attribute is read-only so we can’t use this (shame) so we need to store the last logoff date and time in an attribute that is writable and not currently in use.
So when a user logs off a domain connected computer we need to run a script that will run under the credentials of the logged in user. The script will write the date and time to our chosen attribute (set in the script). This value can then be read by AD Reporting, so the last logoff date and time can be used in your scheduled reports (or archived to a database etc). Note, in AD Reporting you can add additional attributes to your reports including custom attributes.
By default, a user has permission to update certain attributes within their Active Directory user object, some of these attributes are listed below.
How it works
- Use the lastLogoff.vbs script (download lastLogoff.zip).
- Edit the script so that date and time is being stored in an attribute you aren’t currently using (see list below).
- Assign the script to run at logoff using Group Policy.
- Add the attribute to AD Reporting by clicking on the ‘Add/Remove Columns’ button.
- When AD Reporting queries user accounts the last logoff date and time will be retrieved.
Suggested Attributes
The last logoff date can be stored in one of the following attributes.
extensionAttribute1 – extensionAttribute10, telephoneNumber, wWWHomePage, url, streetAddress, postOfficeBox, l (City), st (State), postalCode, info (Notes), homePhone, otherHomePhone, pager, otherPager, mobile, otherMobile, facsimileTelephoneNumber, otherFacsimileTelephoneNumber, ipPhone, otherIpPhone
The script (lastLogoff.vbs)
You can download the script from here (lastLogoff.zip)
'This script writes the users logoff date and time to Active Directory 'Use Group Policy to run the script when users logs off. ON ERROR RESUME NEXT Set objSysInfo = CreateObject("ADSystemInfo") strUser = objSysInfo.UserName Set objUser = GetObject("LDAP://" & strUser) strlogoffTime = Cstr(Now) 'Uncomment one of the lines below to store the value in that attribute. 'objUser.info = strlogoffTime 'objUser.telephoneNumber = strlogoffTime 'objUser.url = strlogoffTime 'objUser.wWWHomePage = strlogoffTime 'objUser.streetAddress = strlogoffTime 'objUser.postOfficeBox = strlogoffTime 'objUser.l = strlogoffTime 'objUser.st = strlogoffTime 'objUser.postalCode = strlogoffTime 'objUser.homePhone = strlogoffTime 'objUser.otherHomePhone = strlogoffTime 'objUser.pager = strlogoffTime 'objUser.otherPager = strlogoffTime 'objUser.mobile = strlogoffTime 'objUser.otherMobile = strlogoffTime 'objUser.facsimileTelephoneNumber = strlogoffTime 'objUser.otherFacsimileTelephoneNumber = strlogoffTime 'objUser.ipPhone = strlogoffTime 'objUser.otherIpPhone = strlogoffTime objUser.SetInfo