什么使 AD 中的 lastLogon 属性更新
[英]What makes lastLogon attribute update in AD
问题描述
I have an Active Directory query for you folks
我有一个 Active Directory 查询给你们
Been working at a company as a sys admin for a while now.作为系统管理员在一家公司工作了一段时间。 We have 6 DMCs (2 Azure hosted, and then 2 for each of our two sites, one physical and one backup).我们有 6 个 DMC(托管 2 个 Azure,然后我们的两个站点各 2 个,一个物理站点和一个备份站点)。
We have had an issue in the recent months with administrator privilege abuse, so we have created a separate admin account for every domain user in a new organisational unit.最近几个月我们遇到了滥用管理员权限的问题,因此我们为新组织单位中的每个域用户创建了一个单独的管理员帐户。 These admin accounts now have local admin access to their workstations, and not their regular domain account so we can better monitor the sign ins of those who are regularly signing in and those who are not.这些管理员帐户现在拥有对其工作站的本地管理员访问权限,而不是他们的常规域帐户,因此我们可以更好地监控那些经常登录和不经常登录的人的登录。
I created several powershell scripts to collect the lastLogon attribute information from each of the 6 DMCs, as that's a non-replicated value and unique to each DMC.我创建了几个 powershell 脚本来从 6 个 DMC 中的每一个收集 lastLogon 属性信息,因为这是一个非复制值并且对每个 DMC 都是唯一的。 But, now this is what's confused me, it doesn't seem to be an accurate measure of when the admin accounts are actually signed in. For instance when cmd is run as administrator, or when software is installed.但是,现在让我感到困惑的是,它似乎并不是管理员帐户实际登录时间的准确衡量标准。例如,当 cmd 以管理员身份运行或安装软件时。
I have run multiple tests with my admin account on this and what's struck me as bizarre is the badpwrdcount attribute will update on the DMC when I put it in incorrectly running cmd as administrator, but when I sign in correctly, the lastLogon attribute does not increase…across any of the DMCs.我已经用我的管理员帐户对此进行了多次测试,令我感到奇怪的是,当我以管理员身份错误地运行 cmd 时,badpwrdcount 属性将在 DMC 上更新,但是当我正确登录时,lastLogon 属性不会增加…跨任何 DMC。 This got me thinking, and actually questioning my understanding, of what counts towards a lastLogon.这让我开始思考,实际上是在质疑我对 lastLogon 的理解。 It's any domain authenticated login, which running cmd as administrator does…it authenticates the admin account of the user.它是任何经过域身份验证的登录,以管理员身份运行 cmd……它对用户的管理员帐户进行身份验证。 It has to do this otherwise the badpwrdcount attribute wouldn't increase.它必须这样做,否则 badpwrdcount 属性不会增加。 It also cannot be a time delay or sync issue as again the badpwrdcount updates instantly.它也不能是时间延迟或同步问题,因为 badpwrdcount 会立即更新。
It seems the only sign ins that I can confirm register to this attribute are when the workstation itself is unlocked, or when the user remotes to another machine.似乎我可以确认注册到此属性的唯一登录是当工作站本身被解锁时,或者当用户远程连接到另一台机器时。
This has caused us all a lot of head scratching as it has kind of defeated the purpose of creating these second user admin accounts now as we can't properly monitor the sign ins.这让我们所有人都很头疼,因为它有点破坏了现在创建这些第二个用户管理员帐户的目的,因为我们无法正确监控登录。 It was already a begrudgingly accepted addition, so we don't want to admit that we're now having issues with it.它已经是一个勉强接受的添加,所以我们不想承认我们现在遇到了问题。
Any help with this would be fantastic.对此的任何帮助都会很棒。
TL:DR;长话短说:博士; lastLogon attribute in AD not updating across all DMCs when logging in with a second admin user account to run cmd as admin, yet the badpwrdcount attribute updates if the password is entered incorrectly.当使用第二个管理员用户帐户以管理员身份运行 cmd 时,AD 中的 lastLogon 属性不会在所有 DMC 中更新,但如果密码输入错误,badpwrdcount 属性会更新。
1 个解决方案
解决方案1
0 2022-07-03 17:18:02
The LastLogOn is set whenever a new logon session is initiated.每当启动新登录 session 时,都会设置 LastLogOn。 One reason the LastLogOn is not updated might be that the admin user still has a valid kerberos TGT/TGS on the machine. LastLogOn 未更新的原因之一可能是管理员用户在计算机上仍然具有有效的 kerberos TGT/TGS。 You can check, eg that via issuing the command:您可以通过发出命令来检查,例如:
klist sessions
from the command line.从命令行。 Try purging all tickets尝试清除所有门票
klist purge -lh 0 -li 3e7
klist purge -lh 0 -li 3e5
klist purge -lh 0 -li 3e4
and then connect again with an admin account and check whether LastLogOn is updated on the respective domain controller...然后再次使用管理员帐户连接并检查 LastLogOn 是否在相应域 controller 上更新...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.