Last Logon and Lastlogon Timestamp Difference

Thiru ram 21 Reputation points
2022-01-18T01:44:14.4+00:00

Last Logon and Lastlogon Timestamp Difference

I would like to know about difference between AD lastlogon and lastlogontimestamp
For user authentication which one of above is best way to monitor. I would appreciate your help in advance.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
{count} votes

Accepted answer
  1. Anonymous
    2022-01-18T02:10:49.527+00:00

    Which is the best to way to monitor user activity, Last logon or Lastlogontimestamp. Please advice

    LastLogon would be the more accurate.
    https://learn.microsoft.com/en-us/windows/win32/adschema/a-lastlogon#remarks

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Mukesh Agarwal 55 Reputation points
    2024-05-06T09:18:09.4433333+00:00

    LastLogon: When a user logs on, this attribute is updated on the Domain Controller that provided the authentication ONLY. Because it is only updated on one DC, that means this attribute is not replicated. 

    LastLogonTimeStamp: To summarize this attribute, this is the replicated version of the LastLogon attribute. It is designed to help identify inactive accounts and typically has a replication latency of up to 14 days to reduce replication traffic. Therefore, it is not always up-to-date to the exact time of the last logon and also the information is stored in NT time format which needs to be converted in human friendly format.

    How does AD know when to update this attribute?

    1. When the user logs on, the DC will pull the current value for lastlogontimestamp.
    2. A value is generated for comparison. (14 minus a random percentage of 5 = valueforcomparison) (This generates a threshold of less than 14 days for updating)
    3. The previous timestamp is subtracted from the current time.
    4. If the time difference between the last timestamp is greater than the comparison value, the attribute is updated ( = It has been too long, it updates, the attribute replicates)
    5. If the time difference is still less than the comparison value, then it hasn’t been long enough, and the attribute won’t be updated yet.

    LastLogonDate: In Active Directory (AD), the last logon date is updated when a user or a service account interacts with the domain in a manner that requires authentication. This includes logging in to a computer, accessing network resources, or using services like email that authenticate against Active Directory. This value is updated in human friendly format.

    Note:

    Both the attribute LastLogonDate and LastLogonDate provide you the same information but it is just that the information format is different. For an example, if I export these attributes for a test user from my lab, I get the output below-

    lastLogon                            : 133536800694120882

    LastLogonDate                        : 29-02-2024 16:32:25

    lastLogonTimestamp                   : 133536781459576468

     

    If you convert the value of lastLogonTimestamp 133536781459576468 using NTTE command, you get the output as 29-02-2024 16:32:25 which is same as LastLogonDate.

    C:\Users\mukesh>w32tm /ntte 133536781459576468

    154556 11:02:25.9576468 - 29-02-2024 16:32:25

     To conclude the suggestion, both the value has same data but LastLogonDate values are human friendly. It makes more sense to utilize the value lastLogonTimestamp rather than the attribute LastLogonDate as you will not need to convert the value to human readable format which will save time and efforts.

    You can find more information in the article below-

    https://learn.microsoft.com/en-us/archive/technet-wiki/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate

     

    2 people found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 36,261 Reputation points Moderator
    2022-01-18T01:56:39.52+00:00

    Hi,

    the attribute lastlogon is not replicated between domain controller. So you should check the value on domain controller where the user is connected to get the right value.

    The attribute lastlogontimestamp is replicated but doesn't reflect the real date and time of last logon.
    I invite you to read this article to understand more the difference between the those attributes:
    22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    Please don't forget to mark helpful reply as answer

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.