DISCLOSURE: This post may contain affiliate links, meaning when you click the links and make a purchase, we receive a commission.
As a system admin, you might have to make sure that there is no suspicious activity on your network. This could be someone accessing the network even when they are no longer authorized to (think former employee), or maybe someone is utilizing office equipment when they are not supposed to (think employee using network after work hours).
The most basic way to check such activity is to take a look at the ‘LastLogon’ and ‘LastLogonTime’ attributes to ascertain the last time someone connected. Although confusion arises when these give back different values. To learn how to make sense of the value in such a case, read below to learn what they mean.
What are ‘LastLogon’ and ‘LastLogonTimeStamp’ Attributes
The main Active Directory service is Active Directory Domain Services which is a part of the Windows Server Operating System. The servers running this service are called Domain Controllers (DCs), and they simplify life for administrators and end users. Each time a user logs in or attempts to log in, a Domain Controller has to authenticate it.
These services are responsible for authorizing and managing remote access to your servers and are present in every user’s Active Directory account. Different users can be set up with different levels of access to sensitive data.
The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter and allowing them to access only the data they’re allowed to use (authorization).
Lastlogon vs Lastlogontimestamp
Differences between ‘LastLogon’ and ‘LastLogonTimeStamp’ Attributes
Although they both track the last time a user logged into their Active Directory account in the server, they both do so in slightly different ways. Below we’ve highlighted all the differences these attributes have with regard to their properties.
Replication
The ‘LastLogon’ attribute is not replicated and is maintained separately on each Domain Controller (DC) in the domain. This means that when a user logs in, only one Domain Controller (the one authenticating the login) will have its ‘LastLogon’ value updated.
On the other hand, we have the ‘LastLogonTimeStamp’ attribute. This one is a bit different from ‘LastLogon’ in that its value is updated from the Domain Controller and replicated to all Domain Controllers. If the value in the Domain Controller is older than ‘LastLogonTimeStamp’, then the value is updated.
Update Requirements
‘LastLogon’ has no requirements to check every time it updates its value. So if a user logs in fifty times in a day for some reason, then this value will also be updated fifty times. On the other hand, ‘LastLogonTimeStamp’ has to check the last time its value was updated before it updates it again.
This makes sense as its value is replicated to all Domain Controllers, so multiple updates in a short time might put a lot of strain on the servers.
Consequently, this creates a problem: what if multiple users were logging in and out of multiple devices? This would create huge overhead and put unnecessary strain on the servers. The simple solution to this is that the Active Directory checks the time since the last updation and if a significant amount of it has passed only then it updates throughout the server.
This is done through a random threshold number the Active Directory generates (less than fourteen) whenever it needs to update ‘LastLogonTimeStamp’; if the last updated date of ‘LastLogonTimeStamp’ is older than the current date minus the generated number of days, only then it is updated.
Update Policy
Another major difference between the two attributes is that ‘LastLogonTimeStamp’ can be updated without the user logging in. Remote access by an admin or some other remote access can trigger this attribute to be updated.
Whereas for the ‘LastLogon’ attribute, the user has to actually log in by themself for the value to be updated. Any sort of remote access or system access by an admin does not trigger the update process.
Verdict
If you just need to check when was the last time someone logged in, then ‘LastLogon’ should be the attribute you check. Considering both attributes can cause unnecessary confusion, especially when their values differ.
There are a lot of reasons other than a user login that causes the ‘LastLogonTImeStamp’ to get updated, so it cannot be used to gauge the latest user login effectively. Thus to summarize all the differences we have discussed, here is a handy table:
| Qualities | ‘LastLogon’ | ‘LastLogonTimeStamp’ |
|---|---|---|
| Replication | Not Replicated. Only authenticating Domain Controller is updated | Replicated to all Domain Controllers |
| Updation | Only updated upon user login | Can be updated due to reasons other than a simple user login (remote access etc) |
| Update Requirements | No requirements: every time a user logins the attribute is updated | Uses another attribute- “ms-DS-Logon-Time-Sync-Interval”- to gauge whether an update is required or not |
How To Retrieve ‘LastLogon’ From All Domain Controllers
As we discussed prior, the ‘LastLogon’ attribute value is localized to only the Domain Controller that authenticated the user. So if an organization has 5 Domain Controllers and a user logs into only one of those 5 Domain Controllers will have the last login date time for that particular user.
Now it might seem simple enough to just manually scourge through all 5 Directory Controllers to check the last login time for a user. However, such a task becomes convoluted and complex in a much bigger set-up with, say, twenty or thirty Domain Controllers and hundreds of users.
Well, there is no need to worry, as with one simple PowerShell script, you can retrieve the ‘LastLogon’ values from all Domain Controllers for a user. The script in question is
Get-ADDomaincontroller -Filter * | % {$DC = $_.name ; Get-ADuser jimbo -properties * -Server $_.name | select @{n=”LastLogon”;e={[datetime]::FromFileTime($_.lastlogon)}},@{n=”DC”;e={$DC}} }
Conclusion
After reading through this article all your queries about ‘LastLogon’ and ‘LastLogonTimeStamp’ should have been cleared up. We talked about what these attributes are, the differences between them, and how you can use them to audit your users and protect yourself from foreign agents trying to access your old accounts.
