Active Directory Attributes explained : LAST LOGON & LAST LOGON TIMESTAMP

Posted July 19th, 2012

There are a lot of questions out there about two Active Directory attributes, namely the Last Logon attribute and the Last Logon Timestamp attribute. First, let me list a few properties of both, and then I’ll get in to the implications.

 

LAST LOGON- The Last Logon Attribute is not stored in the Global Catalog.
- It is not replicated across domain controllers.
- For user objects, its value is updated each time a user physically logs on to a server or workstation.
- For computer objects, its value is updated when a computer authenticates to the domain, e.g. on booting, or on access token refresh.LAST LOGON TIMESTAMP- The Last Logon Timestamp attribute is not stored in the Global Catalog.
- It is replicated to all other Domain Controllers in the domain.
- It is not updated when the previous authentication request happened a shorter time ago then the value for the attribute ms-DS-Logon-Time-Sync-Interval (which is default 14 days).
- It is updated when a user or computer is authenticated by a Domain Controller, on interactive logon, and, for instance, when someone accesses his or her webmail, or accesses a network share.

Implications

Last Logon. An authentication request upon physical logon is handled by the domain controller that responds first, so such a request is not always handled by the same domain controller. This means that in order to obtain a user’s or computer’s true last logon, you need to query all your domain controllers. Authentication has priority over topology and active directory configuration, so even if you have designed your logon services so that a user can only authenticate to one domain controller, you will find that sometimes they’re still authenticated by another domain controller. So best practice is to always query all your domain controllers to obtain the true last logon.

Last Logon Timestamp.

The attribute was introduced with functional domain level 2003, so if you are still running domain level 2000, the attribute is not available to you. If your Domain Functional level is 2003 or higher, it suffices to retrieve the information from only one Domain Controller, but it’s accuracy depends on ms-DS-Logon-Time-Sync-Interval setting.

 

In short…

The reason why most people want to obtain these values is to find out if a user or computer object can be safely deleted. If you want to know when someone logged on to a computer in your network for the exact last time, search for the last logon value. If you want to know when someone last accessed a resource in your network (accessed webmail or one of your file systems etc), search for the last logon timestamp value. If you want to know when someone last used any network resource, search for the most recent of both values.

 

We now do this with AdminPlus, which you can try here

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.

Telephone

+31 20 893 2017

email

info@aducadmin.com

blog

http://www.aducadmin.com/blog