May 15, 2013

Gold Finger's Unique Cumulative/Effective Access Entitlement Assessment Capabilities Now Protected by a Powerful U.S Cyber Security Patent

Gold Finger's unique cumulative/effective access entitlement assessment capabilities that today automate the determination of effective access in Active Directory are now protected by a powerful U.S cyber security patent.

Gold Finger is today the world's only cyber security solution that can accurately analyze and determine who is delegated/provisioned what effective access in Active Directory deployments -

Gold Finger 007 - Active Directory Delegation Audit Tool

The need to know who is delegated/provisioned what administrative access in Active Directory is mission-critical to business and arguably the most important aspect of Active Directory security. It is mission-critical because Active Directory stores the proverbial keys to the kingdom, and the need to know who has the keys to which parts of the kingdom, is paramount to cyber security.

For more information on this powerful patent and its impact on the cyber security space, please visit -

In days to come, we shall share additional information about its unique capabilities including its unique fully-automated Active Directory Delegation Audit capabilities.

March 26, 2013

How to Audit Inactive User Accounts in Active Directory

IT admins often need to be able to audit inactive user accounts in their Active Directory environments.

This is usually done to identify and disable inactive user accounts so that they are not at the risk. As a result, admins need a way to be able to identify all accounts that have been inactive for some time.

Inactive Domain User Accounts

Inactive Domain User Accounts

The exact amount of time after which an account is considered inactive is relatively though, and it depends on what the organization's security policies deem inactive. For some organizations, this can be as little as 30 days, whereas for other organizations it could be a period of 90 days.

In order to find and audit inactive user accounts, IT personnel need to be able to obtain true last logon values from Active Directory. This can usually be tedious because this information is stored in a non-replicated attribute, and so in order to get accurate results, It admins are required to get this information from each domain controller (DC) and then compare them to determine the last time that a user was active.

Depending on the number of domain controllers (DCs) in the environment, this can sometimes take a considerable amount of time and effort because to do so, admins would need to query the value from all DCs, then compare them, and then determine the true last logon time for each user. Depending on the number of users, this can take a very long time.

How to Easily Audit Inactive User Accounts in Active Directory

In this regard, an automated tool, like this Active Directory Audit Tool can automate the entire process for IT administrators, thereby making the identification/audit of inactive accounts as easy as touching a button.

Active Directory Security Audit Tool
Identifying Inactive Accounts with the Gold Finger for AD Audit Tool

 The use of an automated Active Directory Audit tool to identify/audit inactive Active Directory user accounts can thus make it very easy for IT admins to fulfill this requirement, and save valuable time. A good Active Directory audit tool, such as Gold Finger for Active Directory can also make it very easy to generate a variety of other reports, thus saving valuable time and effort, letting administrators apply their valuable time on more important problems, such as maintaining Active Directory Security, which is critical to cyber security today.

The identification of inactive accounts is important for security, and automation can help IT admins easily identify/audit inactive accounts in their mission-critical Active Directory environments.

October 2, 2012

How to Generate a List of all Stale Computer Accounts in Active Directory

IT administrators are often tasked with identifying and enumerating a list of all stale domain computer accounts.

This is often required for security reasons, particularly to ensure that certain computers are not left unpatched with the latest patches, and/or in some cases, to temporarily disable computer accounts if they are not in use. It can also be used decommission computers that have not been used and will not be used for the foreseeable future.

Active Directory True Last Logon

In order to identify stale domain computer accounts, one needs to first define what is considered stale, and this is usually done by determining the number of days of inactivity that would be considered to qualify as a "stale" account. For most organizations, this value is 90 days.

With this in mind, in order to enumerate stale domain computer accounts, you need to search the Active Directory for all domain computer accounts whose lastLogonTimeStamp is older than the number of days considered stale.

Note that in the event that the number of days is less than 14, it may not be sufficient to rely on lastLogonTimestamp as it is only about 14 days current.

While some IT administrators resort to using scripts, and others use PowerShell to make this determination, the easiest way to determine stale domain computer accounts is by using Gold Finger's Security Audit Report Generation capability -

How to generate a list of all stale domain computer accounts in Active Directory

Gold Finger has a dedicated report - List of all domain computer accounts that have not authenticated in the last x days, where x is customizable, ranging from 0 to 5000 days.

This report takes the True Last Logon Time of all domain computer accounts into consideration, based on the value queried and compared from all Domain Controllers in the computer's domain, and instantly reveal the list of all such domain computer accounts instantly.

You can also export the list of all stale domain user accounts to a CSV file, as well as generate a professional-grade PDF report, completely customized, including your organization's logo, and furnish this report as evidence for security audit and/or regulatory compliance purposes.

For more information on Gold Finger's fuly-automated True Last Logon reporting capabilities, please visit -

Sometimes, in addition to generating a list of stale computer accounts, one needs to know how to get a list of groups that a user belongs to in Active Directory. This can be done easily by using an Active Directory group enumeration tool. On a related note, sometimes one also needs to know how to determine where all a domain security group has permissions in our Active Directory, and this can be done by using an Active Directory Permissions Analyzer to analyze AD security permissions / ACLs.

September 17, 2012

How to Generate Active Directory True Last Logon Reports using Gold Finger

In this blog, as we begin coverage of how to generate Active Directory True Last Logon reports, we will be making extensive use of the Gold Finger Active Directory Reporting Tool. It would thus be helpful to have a basic understanding of how to use Gold Finger's automated True Last Logon report generation capabilities for Active Directory.

The following is thus a brief demo that shows how to use Gold Finger to generate Active Directory True Last Logon reports.

In addition to generating Active Directory True Last Logon Reports, Gold Finger can also generate accurate Active Directory security audit reports as well as effective delegated access reports that document who is delegated what access where and how.

Once you have gained familiarity with how to use Gold Finger to generate Active Directory reports, it will be much easier to follow various examples that we shall share as we cover this subject.

December 8, 2010

How to Generate True Last Logon Reports Active Directory

How to Easily Generate True Last Logon Reports in your Active Directory Environment


As an IT Administrator or an IT Security Analyst you may have a business need to to determine and report the last time that a user of a domain account in your Active Directory may have logged on.

True Last Logon Reports In Active Directory

For instance, last logon values are often required to generate and furnish a list of all stale domain user or computer accounts in a Microsoft Windows Server based IT infrastructure. Stale accounts are accounts that have not been used for an extended period of time, and are thus considered, well, stale.

Last Logon Times and Active Directory

In Microsoft Windows Server based environments, the logon time values for every domain user and computer are actually stored in the Active Directory, and thus generating last logon reports involves reading these values from the Active Directory.

Basically, as you may know, all objects in Active Directory are a collection of specific attributes, and the last logon time of an Active Directory user or computer account is also stored in a dedicated attributed called the lastLogon attribute. However, unlike other attributes, this attribute is NOT replicated amongst all domain controllers, but is instead stored locally on each domain controller in an Active Directory domain.

As a result, in order to obtain an accurate value for a user's actual Last Logon time, one needs to obtain this value from each domain controller, and then compare each of these values to finally determine which of these values represents the latest logon time for a user. This process is also referred to as determining the True Last Logon time of an Active Directory domain user or computer account, and the
actual last user logon value is also commonly referred to as True Last Logon.

Technically speaking, the value is stored as an 8-byte integer (meaning that it is a 64 bit number) and represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. This date is in Coordinated Universal Time (UTC).

Determining Last Logon in Active Directory is a Two Step Process

Thus there are two steps to determining the true last logon time of a domain user account. The first step involves obtaining the value from each DC in the domain, and the second step involves comparing these values (taking into account Integer8 syntax) to arrive at the true last logon value for the user.

To complete these steps, you can either your own scripts to determine the True Last Logon values for user and computer accounts, or you can use 3rd party scripts (often untested or unreliable though). Alternatively, you can use a 3rd party tools to generate True Last Logon reports.

Using lastLogonTimeStamp for Approximations

For Active Directory domains running and Windows Server 2003 functional levels, there is a new attribute called lastLogonTimeStamp that is replicated and thus can be read from any DC, but the downside is that it is only updated during a user logon if the old value is more than 14 days in the past. It is thus neither 100% accurate nor reliable if it is at least 14 days in the past.

The most reliable, efficient and cost-effective way to determine True Last Logon times is to use a reliable automated reporting solution for Active Directory.

Using a Reliable Reporting Tool for Last Logon Report Generation

There are numerous tools that are available that automate the determination of True Last Logon reports in Active Directory, but care should be taken when selecting a tool to ensure that it not only meets your reporting needs but is also trustworthy enough to be run in your security context.

This is very important because a poorly written tool, or one whose integrity is not verifiable could in many ways compromise the security of your entire Active Directory as it is being used by you, in all likelihood in an administrative context.

This is particularly important because there are numerous tools available today which may be very cheap to procure but which could also endanger the security of your environment, having been built iin countries like Russia, Romania or India, by potentially inexperienced developers.

How to Instantly Determine True Last Logon Times using a Trustworthy Automated Reporting Tool

The Gold Finger from Paramount Defenses Inc is a highly trustworthy and capable Active Directory reporting tool that can be used to fulfill all your True Last Logon reporting needs.

Gold Finger completely automates the entire True Last Logon report generation process, so all you need to do is point it to an organizational unit (OU), container or domain, and press a button.
Here is a list of the True Last Logon Reports that you can instantly generate using the Gold Finger -
  1. All user accounts that have logged on in the last few (0 – 5000) days
  2. All user accounts that have not logged on in the last few (0 – 5000) days
  3. All user accounts that have never logged on
  4. All user accounts that have logged on at least once
  5. All user accounts that recently failed a logon attempt
  6. All computer accounts that have logged in the last few (0 – 5000) days
  7. All computer accounts that have not recently logged in
  8. All computer accounts that have never logged on
  9. All computer accounts that have logged on at least once
In addition, it also offers numerous other helpful features, such as the ability to generate professional-grade PDF reports complete with a custom title, heading, descriptions and custom reporting fields, including the True Last Logon Time for every domain user and computer account.

Its highy intuitituve user inteface makes it a snap to generate these reports, and you can even select your custom range of days, from 0 al the way to 5000 days. In addition, you can also focus the report on a specific organizational unit or container to completely customze every aspect of report generation.

Active Directory True Last Logon Reporting Demo

Here is a video that illustrates Gold Finger's Active Directory True Last Logon reporting capabilities -

True Last Logon Reporting Capabilities

The following is a list of True Last-Logon reporting capabilities of the Gold Finger security analysis tool -
  1. Instantly generate True-Last Logon Reports in Active Directory
  2. Have values from all DCs automatically included and compared.
  3. Bind to a specific DC
  4. Use alternate credentials for generating reports
  5. Specify day ranges upto 5000 days
  6. Export results to CSV file
  7. Generate completely customized, professional-grade PDF reports

Additional Capabilities

In addition to being able to analyze security permissions in Active Directory, Gold Finger offers the following security analysis capabilities for Active Directory -

  1. Customizable Security Audit Report Generation
  2. Nested Group Membership Enumeration
  3. A Detailed ACL Viewer
  4. A Bulk ACL Exporter
  5. Permisssions Analyzer
  6. Efective Permissions Analyzer
  7. Effective Delegated Access Analyzer
  8. Effective Delegated Access Reports

Additional Information

Gold Finger's valuable Active Directory security analysis capabilities are endorsed by Microsoft and trusted by numerous prominent organizations including Microsoft IT and the US Army.

For more information on Gold Finger's permission analyzer capabilities for Active Directory, and to download a free trial, please visit

Many IT administrators have a need to know how to determine True Last Logon in Active Directory. True Last Logon Reports can generally be generated by using a good Security / Access Reporting / Analysis / Audit Tool for Microsoft Active Directory.  Because one needs to query the lastlogontimestamp from all DCs in a domain, it is important to generate Active Directory True Last Logon reports. IT admins may find it helpful to know how to Generate True Last Logon Reports in Active Directory using a True Last Logon Reporting Tool. True Last Logon Reports are very helpful in determine who last logged on, as well as to detect stale computer accounts.