Active Directory Attributes explained : LAST LOGON & LAST LOGON TIMESTAMP
There are a lot of questions out there about two Active Directory attributes, namely the Last Logon attribute and the Last Logon Timestamp attribute. First, let me list a few properties of both, and then I’ll get in to the implications.
- It is not replicated across domain controllers.
- For user objects, its value is updated each time a user physically logs on to a server or workstation.
- For computer objects, its value is updated when a computer authenticates to the domain, e.g. on booting, or on access token refresh.LAST LOGON TIMESTAMP- The Last Logon Timestamp attribute is not stored in the Global Catalog.
- It is replicated to all other Domain Controllers in the domain.
- It is not updated when the previous authentication request happened a shorter time ago then the value for the attribute ms-DS-Logon-Time-Sync-Interval (which is default 14 days).
- It is updated when a user or computer is authenticated by a Domain Controller, on interactive logon, and, for instance, when someone accesses his or her webmail, or accesses a network share.
Last Logon. An authentication request upon physical logon is handled by the domain controller that responds first, so such a request is not always handled by the same domain controller. This means that in order to obtain a user’s or computer’s true last logon, you need to query all your domain controllers. Authentication has priority over topology and active directory configuration, so even if you have designed your logon services so that a user can only authenticate to one domain controller, you will find that sometimes they’re still authenticated by another domain controller. So best practice is to always query all your domain controllers to obtain the true last logon.
Last Logon Timestamp.
The attribute was introduced with functional domain level 2003, so if you are still running domain level 2000, the attribute is not available to you. If your Domain Functional level is 2003 or higher, it suffices to retrieve the information from only one Domain Controller, but it’s accuracy depends on ms-DS-Logon-Time-Sync-Interval setting.
The reason why most people want to obtain these values is to find out if a user or computer object can be safely deleted. If you want to know when someone logged on to a computer in your network for the exact last time, search for the last logon value. If you want to know when someone last accessed a resource in your network (accessed webmail or one of your file systems etc), search for the last logon timestamp value. If you want to know when someone last used any network resource, search for the most recent of both values.
We now do this with AdminPlus, which you can try here
- ACTIVE DIRECTORY TASK DELEGATION TO END USERS
Today I’m going to talk a little more on Active...
- Domain Local, Global And Universal Groups
We’ve had quite a few questions about the difference...
- Access Token Overview
Today I want to talk a little about access tokens,...
- Remove a member from a number of groups in a single action
This is often the way things go: one of our developers...
- How to delegate Active Directory tasks for IT defense safely?
DYNAMIC INTERFACING or ANOTHER WAY OF TASK DELEGATION...