AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Converting AD attributes using FILETIME to a meaningful value

Converting AD attributes using FILETIME to a meaningful value

  • Comments 3
  • Likes

If you've ever looked at the raw attributes of an Active Directory object, you've no doubt noticed that some of the attributes use the format of "nanoseconds since 01-01-1601" (otherwise known as FILETIME).

To a computer this makes perfect sense but to an administrator it's just gibberish until it's translated.

As part of troubleshooting, I frequently find it useful to look at the following attributes:

lastLogoff, lastLogon, lockoutTime, pwdLastSet, badPasswordTime.

In addition, there is the lastLogonTimestamp which is a replicated attribute that is introduced with Windows Server 2003.


Some of the attributes are replicated, some are not.  Knowing which ones are replicated is important as it changes the meaning of the values in each.  It also means that you should get an ldifde dump of the account from multiple DC's to get a full picture of what's happening.

W32tm now comes with a useful switch that can help you with translating this into a humanly readable form.

C:\>w32tm /ntte <number of nanoseconds since 01-01-1601>

Let's translate a sample LDIFDE dump of a user account with this:

Example:

Attributes from an LDIFDE dump of the user taken on DC1:
badPasswordTime: 128750958022461875 ==2008 -12-30 08:30:02
badPwdCount: 3
lastLogoff: 0
lastLogon: 128738855665015625 == 2008 -12-16 08:19:26
lockoutTime: 128750958022461875 == 2008 -12-30 08:30:02
logonCount: 217
pwdLastSet: 128750987822774375 == 2008 -12-30 09:19:42

Attributes from an LDIFDE dump of the user taken on DC2:
badPasswordTime: 128750959698201836 == 2008 -12-30 08:32:49
badPwdCount: 2
lastLogon: 128738855665459700 == 2008 -12-16 08:19:26
lockoutTime: 128750958022461875 == 2008 -12-30 08:30:02
logonCount: 0
pwdLastSet: 128750987822774375 == 2008 -12-30 09:19:42

What this tells us is:

-  the user logged on successfully to both DC’s with a correct password at 2008 -12-16 08:19:26 (lastLogon is not replicated)


-  an incorrect password was entered on 2008-12-30 08:30:02 on DC1 and 2008 -12-30 08:32:49 on DC2 (badPasswordTime is not a replicated attribute)


-  the account was locked out at 2008 -12-30 08:30:02 on some DC in the domain (lockoutTime is a replicated attribute)


-  the password of the account was last changed at 2008 -12-30 09:19:42 on this DC (pwdChanged is a replicated attribute).


-  the user has not logged on successfully to either DC after the password was changed (badPwdCount is not a replicated attribute and both it and lockoutTime is reset after a successful logon)

From this the most likely chain of events is as follows:

-       A bad password is entered more times than the account lockout threshold allows (3 attempts in this case) and the account is locked out.

-       User calls in to helpdesk and the password is reset.

-       User has not logged on successfully after the password change when the LDIFDE dump is taken

Incidentally, you might notice that the following different attribute values give the same result:

C:\ >w32tm /ntte 128738855665015625

149003 07:19:26.5015625 - 2008 -12-16 08:19:26

C:\ >w32tm /ntte 128738855665459700

149003 07:19:26.5459700 - 2008 -12-16 08:19:26

…the reason is simply that we’re counting in nanoseconds and the difference between them is less than a second.

 

Active Directory attribute definitions:

http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx

FILETIME 

 http://msdn.microsoft.com/en-us/library/ms724284.aspx

 

Comments
  • The line

    Attributes from an LDIFDE dump of the user taken on DC1:

    is doubled.

    The 2nd should read:

    Attributes from an LDIFDE dump of the user taken on DC2:

  • Let 's look at line:

    149003 07:19:26.5459700 - 2008 -12-16 08:19:26

    Questions:

    - What does 149003 mean?

    - Which time is local, which is UTC?

  • thanks… DC2 fixed!

    The ouput you see on the line after running w32tm /ntte:<xxx> is the result from calls to GetDateFormat+GetTimeFormat with the LOCALE_USER_DEFAULT flag.

    Exactly what the extras in the first part represent I'm not sure - the first part should really only contain the date and the second only the time.

    msdn.microsoft.com/.../ms905235.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment