lastLogon vs. lastLogonTimestamp in Active DirectoryGet a list of users who are Domain Admins and have not...
How can "mimic phobia" be cured or prevented?
In Star Trek IV, why did the Bounty go back to a time when whales are already rare?
Varistor? Purpose and principle
Is there a word to describe the feeling of being transfixed out of horror?
Are all species of CANNA edible?
Freedom of speech and where it applies
Fly on a jet pack vs fly with a jet pack?
How to color a curve
How much character growth crosses the line into breaking the character
Why do IPv6 unique local addresses have to have a /48 prefix?
Diode in opposite direction?
Confusion on Parallelogram
A social experiment. What is the worst that can happen?
How do you respond to a colleague from another team when they're wrongly expecting that you'll help them?
Can someone explain how this makes sense electrically?
Did arcade monitors have same pixel aspect ratio as TV sets?
A Permanent Norse Presence in America
Can I rely on this github repository files?
Customize circled numbers
What is the grammatical term for “‑ed” words like these?
Proof of Lemma: Every nonzero integer can be written as a product of primes
Drawing a topological "handle" with Tikz
Divine apple island
Is a model fitted to data or is data fitted to a model?
lastLogon vs. lastLogonTimestamp in Active Directory
Get a list of users who are Domain Admins and have not logged in the past 30 days?What tools exist for identity management w/ Active Directory?Useful Command-line Commands on WindowsGrant account write access to specific attributes on Active Directory User objectMicrosoft CRM, Active Directory Entries, Server 2008 - deleting SGsHow to determine the most recent Active Directory login time in a timely manner?There are currently no logon servers available to service the logon request errorPowershell query lastlogondate (lastlogontimestamp) returning mostly blank values (not matching the ADSIedit value for corresponding user attribute)Windows login remembering the wrong last userLastLogonDate is not corresponding to LastLogonTimestamp on any DCAD Administrator account logon mystery - last logon timestamp
An employee left the company. I try to find out when his AD account was logged in for the last time - if it was before the dismissal or after.
There are these 2 attributes in user properties window: lastLogon and lastLogonTimestamp. lastLogon date is earlier than the dismissal date, but lastLogonTimestamp date is posterior to the dismissal date (so in this case we would have a security problem).
How to know, which one of these attributes shows the actual last AD account login time? What is the difference between them?
windows active-directory login
edited Oct 21 '18 at 19:43
gregg
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
add a comment |
An employee left the company. I try to find out when his AD account was logged in for the last time - if it was before the dismissal or after.
There are these 2 attributes in user properties window: lastLogon and lastLogonTimestamp. lastLogon date is earlier than the dismissal date, but lastLogonTimestamp date is posterior to the dismissal date (so in this case we would have a security problem).
How to know, which one of these attributes shows the actual last AD account login time? What is the difference between them?
windows active-directory login
edited Oct 21 '18 at 19:43
gregg
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
add a comment |
An employee left the company. I try to find out when his AD account was logged in for the last time - if it was before the dismissal or after.
There are these 2 attributes in user properties window: lastLogon and lastLogonTimestamp. lastLogon date is earlier than the dismissal date, but lastLogonTimestamp date is posterior to the dismissal date (so in this case we would have a security problem).
How to know, which one of these attributes shows the actual last AD account login time? What is the difference between them?
windows active-directory login
edited Oct 21 '18 at 19:43
gregg
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
An employee left the company. I try to find out when his AD account was logged in for the last time - if it was before the dismissal or after.
There are these 2 attributes in user properties window: lastLogon and lastLogonTimestamp. lastLogon date is earlier than the dismissal date, but lastLogonTimestamp date is posterior to the dismissal date (so in this case we would have a security problem).
How to know, which one of these attributes shows the actual last AD account login time? What is the difference between them?
windows active-directory login
windows active-directory login
edited Oct 21 '18 at 19:43
gregg
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
edited Oct 21 '18 at 19:43
gregg
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
edited Oct 21 '18 at 19:43
gregg
3052420
edited Oct 21 '18 at 19:43
gregg
3052420
edited Oct 21 '18 at 19:43
gregg
3052420
3052420
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
asked Nov 7 '15 at 8:50
ZygDZygD
1621210
1621210
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
add a comment |
TL;DR - If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME(Int64in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestampconverted to a l̲o̲c̲a̲l̲DateTimevalue.
answered 1 min ago
Drew ChapinDrew Chapin
251313
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f734615%2flastlogon-vs-lastlogontimestamp-in-active-directory%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
add a comment |
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
add a comment |
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
edited Nov 7 '15 at 12:55
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
answered Nov 7 '15 at 12:17
Greg AskewGreg Askew
29k33768
29k33768
add a comment |
add a comment |
TL;DR - If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME(Int64in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestampconverted to a l̲o̲c̲a̲l̲DateTimevalue.
answered 1 min ago
Drew ChapinDrew Chapin
251313
add a comment |
TL;DR - If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME(Int64in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestampconverted to a l̲o̲c̲a̲l̲DateTimevalue.
answered 1 min ago
Drew ChapinDrew Chapin
251313
add a comment |
TL;DR - If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME(Int64in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestampconverted to a l̲o̲c̲a̲l̲DateTimevalue.
answered 1 min ago
Drew ChapinDrew Chapin
251313
TL;DR - If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME(Int64in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestampconverted to a l̲o̲c̲a̲l̲DateTimevalue.
answered 1 min ago
Drew ChapinDrew Chapin
251313
answered 1 min ago
Drew ChapinDrew Chapin
251313
answered 1 min ago
Drew ChapinDrew Chapin
251313
answered 1 min ago
Drew ChapinDrew Chapin
251313
251313
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f734615%2flastlogon-vs-lastlogontimestamp-in-active-directory%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
