Active Directory mISV

Saturday, February 25, 2006

All about Active Last Logon

I'm sure many of you who see this blog aren't necessarily that familiar with Active Directory so I decided to post more about what Active Last Logon does and how the decision to create this product came about.

So in brief words Active Directory is a database of users, resources and ACL's giving access to the resources. It also handles Authentication and Authorization. Now there is plenty more to it such as workstation management, but for our purposes today that is enough.

Administrators typically use a tool called "Active Directory Users and Computers"(ADUC) to manage users, groups, workstations, etc. When you look at the properties of a user's account using ADUC you see mostly static data. The user's full name, group memberships, login script, etc.

Active Directory however does store some data that is more dynamic. One of these things is the last time the user logged on to Active Directory updated each time the user logs on. The catch is the "Last Logon Time" attribute stored in Active Directory is a non-replicated property meaning each domain controller has it's own copy of this property that only applies to itself. So the end result is a different value for the last logon time on each domain controller.

For the purposes of this post just consider a domain controller to be a server with a copy of the Active Directory DB and can authenticate users.

So to get the an accurate value for the last time the user logged on each domain controller must be checked. Here is were my product Active Last Logon comes in. It adds a tab to ADUC called Last Logon that polls all the domain controllers and displays the most recent.

The idea to create this product came about because of my background as an administrator on Novell eDirectory networks. In that environment the last logon time is displayed by the management tools by default. This is because the last logon attribute in eDirectory is a replicated attribute. I then found myself working on Active Directory networks and wanted to see this value, thus giving me the idea to create this product.

The differing philosophies regarding Active Directory vs. eDirectory is the subject for a later post.

I hope this post has helped some of you who may be reading this and aren't familiar with Active Directory to understand my product a bit.

Thanks for reading.


  • That's a nice simple explanation! I think it is admirable that you have identified such a specific feature to implement which I think is a great way to start a MicroISV. I'll be curious to hear how you get the word out about it... Best of luck.

    By Anonymous Ben Bryant, at 12:13 PM, February 26, 2006  

  • Thanks Ben, I'm glad to hear that the explanation makes sense. I've been feeling the stiffness in my writing muscles since I started working on this mISV

    By Blogger Leroy Clark, at 2:56 PM, February 26, 2006  

Post a Comment

<< Home