Tweet
Hey guys,
I know LastLogon is sometimes a tricky attribute to deal with, but I'm seeing some strange results.
First, I used DumpSec 2.8.6 to dump a user table with the "show true last logon" checked so that it queried all domain controllers. That took about 2 days to finish (15000+ users over many DCs scattered all over the country).
Next, out of curiosity, I used Hyena 5.7 and Exporter Pro 1.5 to do the equivalent dump of AD (and selected the option to query all DCs). This dump took about 10 minutes to finish.
However, when comparing the results, I found approximately 1000 inconsistencies where the Hyena lastlogon date was way older than the Dumpsec date (sometimes up to three years apart!). In all cases, the DumpSec date was the right one.
My question is, why would Hyena show a different date, when both tools should be querying all DCs in the same way? I'd really like to use Hyena for this because it is WAY faster, but I have to ensure accurate data. I've tried different settings in the exporter, such as using AD for getting list of computers, using Windows Browse List for list of computers, but nothing seems to make a difference. Is there any reason why the older DumpSec tool is getting more accurate data than the newer Hyena?
Any help is greatly appreciated.
Thanks!
Bash
I know LastLogon is sometimes a tricky attribute to deal with, but I'm seeing some strange results.
First, I used DumpSec 2.8.6 to dump a user table with the "show true last logon" checked so that it queried all domain controllers. That took about 2 days to finish (15000+ users over many DCs scattered all over the country).
Next, out of curiosity, I used Hyena 5.7 and Exporter Pro 1.5 to do the equivalent dump of AD (and selected the option to query all DCs). This dump took about 10 minutes to finish.
However, when comparing the results, I found approximately 1000 inconsistencies where the Hyena lastlogon date was way older than the Dumpsec date (sometimes up to three years apart!). In all cases, the DumpSec date was the right one.
My question is, why would Hyena show a different date, when both tools should be querying all DCs in the same way? I'd really like to use Hyena for this because it is WAY faster, but I have to ensure accurate data. I've tried different settings in the exporter, such as using AD for getting list of computers, using Windows Browse List for list of computers, but nothing seems to make a difference. Is there any reason why the older DumpSec tool is getting more accurate data than the newer Hyena?
Any help is greatly appreciated.
Thanks!
Bash
Comment