AD account collector is not collecting the Last Login Date and Expiration Date in RSA Identity Governance and Lifecycle 7.0.2
Originally Published: 2019-02-11
Article Number
Applies To
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.0.x
Issue
Cause
These mapped attributes are actually the column names in accounts table as shown below:
While configuring the mappings for above two columns, respective attributes from Active Directory should be used. The correct configuration is shown in Resolution section below.
Resolution
'accountExpires' and 'lastLogOn' AD attributes to map to the respective attributes 'Expiration Date' and 'Last Login Date'.
In RSA Identity Governance and Lifecycle 7.0.1 and 7.0.2 P01 to P04 versions, the LAST_LOGIN_DATE attribute collects 'lastLogOn' attribute of accounts from AD and this is internal mapping, these two attributes are not configurable in GUI.
However, from RSA Identity Governance and Lifecycle 7.0.2 P05 and onwards, LAST_LOGIN_DATE attribute has been made configurable on collector UI and its mapping can be modified as per requirement. Also this attribute configuration is optional.
The default mapping that we provide for this attribute is 'LastLogon' attribute from Active Directory.
LastLogon:
When a user logs on, this attribute is updated on the Domain Controller that provided the authentication ONLY. Because it is only updated on one DC, that means this attribute is not replicated.
For reference:
https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
After correcting the mapping, both attribute values are collected correctly as shown below:
Workaround
You can use 'LastLogonTimeStamp' by collecting it in a custom attribute of type "Date" and in the ADC , we can map the custom attribute to lastLogontimeStamp and run the collection. In the Raw data collected , you can verify that the attribute is collected properly and shown in Date format.
