Active Directory: lastLogon vs lastLogonTimestamp

lastLogon vs lastLogonTimestamp

lastLogon

The lastLogon attribute contains a Windows FileTime representation of the last time a domain controller successfully authenticated the user. It is the granddaddy of user logon metadata, having been around since the first version Active Directory.

Using the PowerShell command below, you can retrieve the last logon time and other user properties on a domain controller:

1

Get-ADUser -Filter * -Properties lastLogon | Select samaccountname,@{Name="lastLogon";Expression={[datetime]::FromFileTime($_.'lastLogon')}}

The LastLogon attribute is updated every time a domain controller successfully processes a logon request, but it is not a replicated attribute. Each domain controller (DCs) maintains its own version of the attribute for any specific user.

lastLogonTimestamp

The lastLogonTimestamp contains a Windows FileTime representation of a recent time the user logged on to a domain. This user attribute was introduced with Microsoft Windows Server 2003. Unlike the older lastLogon attribute, the lastLogonTimestamp attribute is a replicated attribute; its value for any specific user is synced to every domain controller. It is not always updated when a domain controller successfully processes a logon request. Instead, the attribute has a dynamic update frequency that is limited by the value of the ms-DS-Logon-Time-Sync-Interval attribute, which defaults to NOT SET and is treated as 14 days.

Search

1

Search-ADAccount -AccountInactive -DateTime ((Get-Date).AddDays(-30)) -UsersOnly | Select Name,LastLogonDate,DistinguishedName| Export-CSV c:\psinactive_users.csv

From: netwrix

Kerberos S4u2Self

How LastLogonTimeStamp is Updated with Kerberos S4u2Self S4U2self