Converting AD attributes using FILETIME to a meaningful value
If you've ever looked at the raw attributes of an Active Directory object, you've no doubt noticed that some of the attributes use the format of "nanoseconds since 01-01-1601" (otherwise known as FILETIME).
To a computer this makes perfect sense but to an administrator it's just gibberish until it's translated.
As part of troubleshooting, I frequently find it useful to look at the following attributes:
lastLogoff, lastLogon, lockoutTime, pwdLastSet, badPasswordTime.
In addition, there is the lastLogonTimestamp which is a replicated attribute that is introduced with Windows Server 2003.
Some of the attributes are replicated, some are not. Knowing which ones are replicated is important as it changes the meaning of the values in each. It also means that you should get an ldifde dump of the account from multiple DC's to get a full picture of what's happening.
W32tm now comes with a useful switch that can help you with translating this into a humanly readable form.
C:>w32tm /ntte <number of nanoseconds since 01-01-1601>
Let's translate a sample LDIFDE dump of a user account with this:
Example:
Attributes from an LDIFDE dump of the user taken on DC1: badPasswordTime: 128750958022461875 ==2008 -12-30 08:30:02
badPwdCount: 3
lastLogoff: 0
lastLogon: 128738855665015625 == 2008 -12-16 08:19:26
lockoutTime: 128750958022461875 == 2008 -12-30 08:30:02
logonCount: 217
pwdLastSet: 128750987822774375 == 2008 -12-30 09:19:42
Attributes from an LDIFDE dump of the user taken on DC2: badPasswordTime: 128750959698201836 == 2008 -12-30 08:32:49
badPwdCount: 2
lastLogon: 128738855665459700 == 2008 -12-16 08:19:26
lockoutTime: 128750958022461875 == 2008 -12-30 08:30:02
logonCount: 0
pwdLastSet: 128750987822774375 == 2008 -12-30 09:19:42
What this tells us is:
- the user logged on successfully to both DC’s with a correct password at 2008 -12-16 08:19:26 (lastLogon is not replicated)
- an incorrect password was entered on 2008-12-30 08:30:02 on DC1 and 2008 -12-30 08:32:49 on DC2 (badPasswordTime is not a replicated attribute)
- the account was locked out at 2008 -12-30 08:30:02 on some DC in the domain (lockoutTime is a replicated attribute)
- the password of the account was last changed at 2008 -12-30 09:19:42 on this DC (pwdChanged is a replicated attribute).
- the user has not logged on successfully to either DC after the password was changed (badPwdCount is not a replicated attribute and both it and lockoutTime is reset after a successful logon)
From this the most likely chain of events is as follows:
- A bad password is entered more times than the account lockout threshold allows (3 attempts in this case) and the account is locked out.
- User calls in to helpdesk and the password is reset.
- User has not logged on successfully after the password change when the LDIFDE dump is taken
Incidentally, you might notice that the following different attribute values give the same result:
C: >w32tm /ntte 128738855665015625
149003 07:19:26.5015625 - 2008 -12-16 08:19:26
C: >w32tm /ntte 128738855665459700
149003 07:19:26.5459700 - 2008 -12-16 08:19:26
…the reason is simply that we’re counting in nanoseconds and the difference between them is less than a second.
Active Directory attribute definitions:
http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx
FILETIME