Active Directory Last Logon - Issues

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.3sp2

Goal Summary

The Active Directory timestamps we are using for activity compliance checks are old and stale. We have a system that queries all the Domain Controllers and gets the most up to date logon time. We are using a JDBC connector to agg the data from that database.

Issue Summary

The issue we have is we cannot effectively either coalesce the multiple rows into one Application account or we cannot push the row of data to the correct application link.

Method 1 - One link, multiple rows

We tried to do a mergeMap rule that would merge multiple rows into lists of entries underneath one Link, but we couldn’t get the mergeMap to fire to figure out how to transform it.

Method 2 - Push data row to attribute in the Active Directory link

We are trying to find the right place to push a logon timestamp to an attribute in the Active Directory link, but cannot find a way.

Data overview

username lastLogon dc badge
svc-identityiqqa 4/27/2025 12:42 DC1.domain.com 1101010
jmcduffin 12/6/2024 18:43 DC4.domain.com 712934
jmac 4/30/2025 21:29 DC2.domain.com 798245
bbeth 4/28/2025 11:52 DC1.domain.com 423590
jdoe 4/30/2025 21:30 DC1.domain.com 1101010
svc-powershell-task 5/1/2025 5:00 DC2.domain.com 1101010

We want to push the lastLogon to a custom attribute inside an active directory account where we can match the badge attribute to an identity cube and then match the username to a particular Link on the cube to then finally update an extended attribute like timeKeeperLogon to have the most up-to-date logon time.

Primary Issue

The user with badge number 1101010 has a bunch of Link entries for this app. This clutters up their cube and is not ideal.

Ideal Outcome

Figuring out a workable solution for method 1 or 2 is highly acceptable. We just want to avoid having multiple Link entries for this application because its ONLY function is to update lastLogon timestamp data to check against an Active Directory account.

2

Method 1 should work, though I’m not clear on why you have multiple rows to merge.
Does each user have a row for each domain controller? Or is it that you have multiple AD domains?

3

@acrumley -

I would suggest Pre‑aggregate to one row per user (simplest & least moving parts)

  1. Create a database view or stored procedure that already returns
SELECT
  username ,
  MAX(lastLogon) AS lastLogon ,        -- latest stamp
  MAX(badge)    AS badge               -- constant per user
FROM dc_logons
GROUP BY username
  1. If you cannot modify the source table, a read‑only view works just as well.
  2. Point the JDBC application’s AggregationQuery to that view.
    Each aggregation run then produces exactly one Account/Link per user, so no merge logic is needed and the cube stays tidy.
  3. Correlate on either badge or username (whichever is unique and always present)

Why this is often all you need:
Compliance simply needs the latest timestamp. Pulling one row per user avoids extra Links and avoids writing any BeanShell.

Cheers!!!

4

Great question. A user may have multiple rows that correlate to their account if they own more than one Active Directory account. Our correlation attribute is their employeeID field. Honestly, the domain controller isn’t super relevant because we mainly just care about getting the most recent timestamp that they logged in on.