Last Logon and Lastlogon Timestamp Difference

LastLogon: When a user logs on, this attribute is updated on the Domain Controller that provided the authentication ONLY. Because it is only updated on one DC, that means this attribute is not replicated. 

LastLogonTimeStamp: To summarize this attribute, this is the replicated version of the LastLogon attribute. It is designed to help identify inactive accounts and typically has a replication latency of up to 14 days to reduce replication traffic. Therefore, it is not always up-to-date to the exact time of the last logon and also the information is stored in NT time format which needs to be converted in human friendly format.

How does AD know when to update this attribute?

1. When the user logs on, the DC will pull the current value for lastlogontimestamp.
2. A value is generated for comparison. (14 minus a random percentage of 5 = valueforcomparison) (This generates a threshold of less than 14 days for updating)
3. The previous timestamp is subtracted from the current time.
4. If the time difference between the last timestamp is greater than the comparison value, the attribute is updated ( = It has been too long, it updates, the attribute replicates)
5. If the time difference is still less than the comparison value, then it hasn’t been long enough, and the attribute won’t be updated yet.

LastLogonDate: In Active Directory (AD), the last logon date is updated when a user or a service account interacts with the domain in a manner that requires authentication. This includes logging in to a computer, accessing network resources, or using services like email that authenticate against Active Directory. This value is updated in human friendly format.

Note:

Both the attribute LastLogonDate and LastLogonDate provide you the same information but it is just that the information format is different. For an example, if I export these attributes for a test user from my lab, I get the output below-

lastLogon                            : 133536800694120882

LastLogonDate                        : 29-02-2024 16:32:25

lastLogonTimestamp                   : 133536781459576468

If you convert the value of lastLogonTimestamp 133536781459576468 using NTTE command, you get the output as 29-02-2024 16:32:25 which is same as LastLogonDate.

C:\Users\mukesh>w32tm /ntte 133536781459576468

154556 11:02:25.9576468 - 29-02-2024 16:32:25

 To conclude the suggestion, both the value has same data but LastLogonDate values are human friendly. It makes more sense to utilize the value lastLogonTimestamp rather than the attribute LastLogonDate as you will not need to convert the value to human readable format which will save time and efforts.

You can find more information in the article below-

https://learn.microsoft.com/en-us/archive/technet-wiki/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate

Hi,

the attribute lastlogon is not replicated between domain controller. So you should check the value on domain controller where the user is connected to get the right value.

The attribute lastlogontimestamp is replicated but doesn't reflect the real date and time of last logon.
I invite you to read this article to understand more the difference between the those attributes:
22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

Please don't forget to mark helpful reply as answer