What is the default logs storage time in AD domain controller server?
I do not have this with me to check, as I am not OS administrator. I suppose there is some default time set in Active Directory (AD) for logs storage. I am particularly interested in logs for user logging in/out storage. I would need to inspect these logs, as some AD users were deleted, but I have to find out the last time when they actually logged in into the system.
Default Tombstone Lifetime Settings (days):
- Windows 2000 or Windows Server 2003 RTM: 60
- Server 2003 SP1: 180
- Server 2003 R2: 60 or 180
- Server 2003 SP2, Server 2003 R2 SP2, and later:180
- Windows Server 2008 and higher 180
Determining actual system's Tombstone Lifetime Setting:
dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<FQDN>" -scope base -attr tombstonelifetime
Getting deleted objects:
Ldifde -u -x -f <FileName.txt>
-u Use Unicode format
-x Include deleted objects (tombstones)
To find deleted users:
- in the
<FileName.txt>search for\0ADELstring orCN=Deleted Objects. - or use GUI: use
ldp.exeand look forCN=Deleted Objects.
Getting UserName and timestamp of NOT deleted users:
dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr sAMAccountName lastlogontimestamp
If more data is needed, use -attr *.
To convert received timestamp to date use this:
w32tm /ntte 130722669980039000
Output:
151299 09:16:38.0039000 - 31.03.2015 12:16:38 (local time)