Question about AD attribute LastLogonDate

Will you please help correct the right date for Domain controller and some other devices. showing some advanced lastlogontimestamp a year 2042.

Hello lalajee,

Thank you for posting in Q&A forum.

In Active Directory (AD), the last logon date is updated when a user or a service account interacts with the domain in a manner that requires authentication. This includes logging in to a computer, accessing network resources, or using services like email that authenticate against Active Directory.

There are two attributes in AD that store logon information:

LastLogon: This attribute is not replicated across domain controllers. It is precise but requires querying each domain controller.

Then we need to look at the LastLogon of each user on each DC, and then convert to it, the most recent login was LastLogon.

LastLogonTimestamp: This attribute is replicated but not in real-time. It is designed to help identify inactive accounts and typically has a replication latency of up to 14 days to reduce replication traffic. Therefore, it is not always up-to-date to the exact time of the last logon.

Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx?Redirected=true

You can delete the user accounts of all users who do not work for the company by filtering these two attributes.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Hi @lalajee

I have run an ad report to get all user/device with last logon date but some of them are using more than 1 year or no date.

This attribut is not replicated on all domain controller , if you want to use this attribut in order To identify if the account is active or not ,you have to check on all domain controller. Below a exaple of script

$DCLIST = GET-ADDomainController -Filter * | select -ExpandProperty Hostname
Foreach($DC in $DCLIST)
{
Get-Aduser -identity UserName -properties Lastlogon -Server $DC | select @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}
}

If User account is used as service or being use to login to say email will it recode last logon date.

Last logon date will be updated when the service or the server will be restarted or when the account authenticate to connect on mailbox

Please don't forget to accept helpful answer

The LastLogonDate attribute in Active Directory (AD) is not updated every time a user or a service running under a user account logs on to the domain. The decision to update the value is based on a formula: the current date minus the value of the ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5. If the result is equal to or greater than LastLogonDate, the attribute is updated.

For example, if a service is running under a user account and has been running for 6 months without a reboot, the LastLogonDate for that user might show as 6 months ago. This is because the service might still have a valid Kerberos Ticket Granting Ticket (TGT) on the machine, and a new TGT does not necessarily trigger an update to the LastLogonDate

So, if a user account is used for anything (like running a service or logging into an email), it might not necessarily update the LastLogonDate. It’s important to note that this attribute is designed to help identify inactive accounts for potential disablement, not to track each and every logon event

If you need more precise logon tracking, you might want to consider using audit logs or third-party solutions designed for this purpose.