lastLogon vs. lastLogonTimestamp in Active Directory
An employee left the company. I try to find out when his AD account was logged in for the last time - if it was before the dismissal or after.
There are these 2 attributes in user properties window: lastLogon and lastLogonTimestamp. lastLogon date is earlier than the dismissal date, but lastLogonTimestamp date is posterior to the dismissal date (so in this case we would have a security problem).
How to know, which one of these attributes shows the actual last AD account login time? What is the difference between them?
Solution 1:
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
Solution 2:
TL;DR - If you want the most accurate logon time, you must query the lastLogon
attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp
from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval
], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME
(Int64
in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDate
property. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestamp
converted to a l̲o̲c̲a̲l̲DateTime
value.
Solution 3:
The other answers leave out one important detail, but it can be crucial when investigating cases like the one mentioned in the question.
LastLogonTimeStamp can be updated even if no actual login was performed!
For example, you can see for yourself how the LastLogonTimeStamp attribute is updated right after you check the "Effective Permissions" for the account that has an old enough LastLogonTimestamp value.
When you come across a situation like in screenshot where you see a relatively recent LastLogonTimestamp for a person's account, you should check all domain controllers for the LastLogon attribute value.
If they are all older than LastLogonTimestamp, then it probably means that there was no "real person enter", I mean someone logged into a workstation or remote desktop session.
But at the same time, you cannot be 100% sure, so you should check all the available logs to make sure that this account was not used for any other purpose (syncing mail from a mobile device or something like that)...
Finally, you should consider lastLogon and lastLogonTimestamp only as means for looking for stale accounts.
And for the security reasons, you must set all the necessary audit settings in advance and then use audit logs for investigations.
Leave the lastLogon alone!