Announcement

Collapse
No announcement yet.

Last logon different in DumpSec and Hyena

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Last logon different in DumpSec and Hyena

    Hey guys,

    I know LastLogon is sometimes a tricky attribute to deal with, but I'm seeing some strange results.

    First, I used DumpSec 2.8.6 to dump a user table with the "show true last logon" checked so that it queried all domain controllers. That took about 2 days to finish (15000+ users over many DCs scattered all over the country).

    Next, out of curiosity, I used Hyena 5.7 and Exporter Pro 1.5 to do the equivalent dump of AD (and selected the option to query all DCs). This dump took about 10 minutes to finish.

    However, when comparing the results, I found approximately 1000 inconsistencies where the Hyena lastlogon date was way older than the Dumpsec date (sometimes up to three years apart!). In all cases, the DumpSec date was the right one.

    My question is, why would Hyena show a different date, when both tools should be querying all DCs in the same way? I'd really like to use Hyena for this because it is WAY faster, but I have to ensure accurate data. I've tried different settings in the exporter, such as using AD for getting list of computers, using Windows Browse List for list of computers, but nothing seems to make a difference. Is there any reason why the older DumpSec tool is getting more accurate data than the newer Hyena?

    Any help is greatly appreciated.

    Thanks!
    Bash

  • #2
    Re: Last logon different in DumpSec and Hyena

    Exporter Pro is up to v2.2 at this point, so you might start there. I don't know that anything changed in that area, but it's always good to have the latest version. From there if you still have trouble with the information, send exact steps and screenshots to [email protected] so we can see what you are doing.

    Comment


    • #3
      Re: Last logon different in DumpSec and Hyena

      In addition to updating to the latest version, there are a number of differences to keep in mind:

      - DumpSec uses the browse list to get the list of DCs. This can be error prone, as if a DC is temporarily down, it will be missing from the list and therefore its data won't be merged into the last logon data.

      - Exporter Pro gets the DC list from AD, and then queries each one for the last logon information.

      A good way to start to determine what is what is to run Exporter Pro with the option to get the last logon information and report it from all DCs instead of consolidating the information into one record for each user. That way, you can see exactly which date/time the user logged into each DC and if one is different, you can see why. It won't take any longer to do this, but your output will be larger, so with a lot of user accounts you may have to load the file into Access instead of Excel.

      You can also use Hyena to get the logon information for a single user account and use that to troubleshoot too.

      Let us know what you find.
      Kevin Stanush
      SystemTools Software Inc.

      Comment


      • #4
        Re: Last logon different in DumpSec and Hyena

        Thanks for the replies, guys.

        I've just upgraded to Exporter 2.2 and re-run the same query. Unfortunately, I get the same result as before.

        I used Hyena on one particular problem user like kstanush suggested, and it appears that the problem is that even after querying all DCs, Hyena only sees one logon date (which is about 3 years older than it should be). So, it's not even recognizing the fact that the user has logged in since then (yet it DOES recognize that the passwordlastset date is just a few months ago).

        It's strange the DumpSec is MORE accurate, especially considering the browse list point. Is it possible that DumpSec is somehow querying a server that isn't in AD's list of DCs?

        Comment


        • #5
          Re: Last logon different in DumpSec and Hyena

          In Hyena there is a button on the Logon Information page that you can click to 'Check all Domain Controllers'. Did you click that ? That is going to show you a list of all DCs. And did you run the Exporter Pro report with the option to show all of the logon information from all domain controllers ? That will show you where all of the information is coming from.

          I don't understand / follow you that the information from Exporter Pro is different if you ran the report with the option to show the information from all DCs...
          Kevin Stanush
          SystemTools Software Inc.

          Comment


          • #6
            Re: Last logon different in DumpSec and Hyena

            To get a list of the DCs used by Hyena or Exporter Pro, click on the + next to "Domain Controllers" under your domain in Hyena's left window.
            Kevin Stanush
            SystemTools Software Inc.

            Comment


            • #7
              Re: Last logon different in DumpSec and Hyena

              Yup, I right-clicked the user name, went to 'view logon information', and clicked on 'check all domain controllers'. When I did that, it took a few minutes to refresh, but eventually came back with a whole bunch of "never" entries and a couple dates, the most recent being 03/10/2005.

              That 03/10/2005 is the same date that Exporter Pro shows. When I said that the info was different, I was referring to what I was getting from DumpSec. For that same user, my DumpSec report is showing a date of 01/11/2009. That's what confuses me. I would think that both should be the same, or if anything, DumpSec would show an older date!

              Comment


              • #8
                Re: Last logon different in DumpSec and Hyena

                Take a look at the list from Hyena's last logon dialog, and see which DCs are reported with a date or 'never'. I hope when you ran the DumpSec report that you included the 'last logon server' in your output, as that will show the server that DumpSec is getting the last logon information from.

                Optionally, you can look under Hyena's Domain Controllers listing in the left window and see if you can spot any DCs that are not in that list.
                Kevin Stanush
                SystemTools Software Inc.

                Comment


                • #9
                  Re: Last logon different in DumpSec and Hyena

                  DOH! Just checked the DumpSec report and of course, LogonServer was nowhere to be found!

                  Good tip, though. I'll start another report up tonight and let it run for a couple days...could be done by Friday, but will definitely be done over the weekend, so I'll know by Monday for sure.

                  Thanks again!

                  Comment

                  Working...
                  X