provide-last-login

Syntax

provide-last-login = {yes|true|no|false}

Description

Use the provide-last-login option for reporting information about the last login instance of a user.

To record the last login information for LDAP-based registries, set [ldap] enable-last-login to yes.

For Microsoft Active Directory registry, Security Verify Access uses the Active Directory user attribute lastLogonTimestamp to report the last login time of the user. This attribute is a system attribute and is updated automatically by Active Directory. Security Verify Access has no control over this attribute except reporting the value when required. This attribute is not updated every time a user logs in successfully. When a user logs in successfully, this attribute is only updated if its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute.

The value that Security Verify Access reports for the last login of a user might not be the exact time that a user last logged in. The reported time might be the actual last login time minus the configurable value of msDS-LogonTimeSyncInterval. You can configure the default value of msDS-LogonTimeSyncInterval to suit the user domain policy.

To use the lastLogonTimestamp attribute, the Active Directory domains must be at or greater than Microsoft Windows 2003 domain functional level. For more information about lastLogonTimestamp and msDS-LogonTimeSyncInterval, visit the Microsoft support website.

Options

yes|true

Set the provide-last-login option to yes, to specify that the policy server reports the time of last login of a user.

no|false

Set the provide-last-login option to no, to disable reporting of the last login information about a user.