pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

Users information -> Inactive Objects >6 monthts : Lot of user listed in this menu are not inactive

Open Info-NI opened this issue 4 years ago • 5 comments

Hello,

In the menu : Users information -> Inactive Objects > 6 months i have a lot of user listed who are connected everyday..so they don't have to be listed in this menu no ? I pick one of them , i connected on my RDS server with this user and still in the list of inactive objects... Any idea ?

Thank's

Info-NI avatar Oct 21 '21 15:10 Info-NI

Does this powershell command should return the same thing than the Inactive Objects >6 months in ping castle ?

Search-ADAccount -AccountInActive -TimeSpan 180:00:00:00 -ResultPageSize 2000 -ResultSetSize $null | ?{$_.Enabled -eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "C:\InActiveUsers.CSV" -NoTypeInformation

ghost avatar Oct 21 '21 15:10 ghost

Hello @Info-NI

i have posted some information today regarding Inactive counter in issue#83 here are the details that might help for your case:

Reading the source of the rule "S-Inactive" (That seems the RuleID you are talking about) for "InactiveUserOrComputer" or so called "Dormant accounts" in the following files, it is clear that the time for activity is being calculated with "LastLogonTimestamp". RULE: https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Rules/HeatlcheckRuleStaledInactive.cs#L24 Healthcheck data used for the rule: https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Healthcheck.cs#L367

If a user is enabled and not active within the last 6 * 31 days it is considered inactive. The query in the sourcecode seems to be correct. i have compared data from section "User Information" > "Account analysis" with active directory and could not find an issue with current version of PingCastle. if you take "Nb Inactive" and add "Nb Active" from that table then you should get the amount of "Nb Enabled"

Is the amount correct, but just the list wrong?

Additional Information that might apply especially for your test "Please note that PingCastle relies on the attribute LastLogonTimestamp to perform this check. The LastLogonTimestamp attribute is replicated but has a latency of a maximum of 14 days, while LastLogon is updated at each logon and is more accurate but not replicated."

An-dir avatar Dec 14 '21 16:12 An-dir

I am having this same issue. The S-Inactive rule is showing 97% inactive users (773) and only 11 active users. This is an office with hundreds of people connected every day. I can absolutely confirm this is not correct.

Search-ADAccount -AccountInActive -TimeSpan 180:00:00:00 -ResultPageSize 2000 -ResultSetSize $null | ?{$_.Enabled -eq $True} | Select-Object Name, SamAccountName, DistinguishedName

Returns 0 results, increasing to 365 days returns 30 users.

shikyo13 avatar Jun 18 '22 01:06 shikyo13

You are most probably running PingCastle under restricted token (aka domain admin without elevation) Run it under normal user or full admin

vletoux avatar Jun 18 '22 06:06 vletoux

You are most probably running PingCastle under restricted token (aka domain admin without elevation) Run it under normal user or full admin

You were absolutely correct, thank you!

shikyo13 avatar Jun 18 '22 14:06 shikyo13