Computer object attribute LASTLOGONTIMESTAMP - update behaviour over VPN (cached creds used for user-logon)

[Kat_21] 21 Reputation points
2021-02-02T18:58:46.7+00:00

Scenario:

Computer boots up off-network
User logs on (cached creds)
VPN connection established
Questions:

Is the LASTLOGONTIMESTAMP updated on AD at this point?

If the device has an SCCM / MECM client - do those services / actions carried out by the client cause the LASTLOGONTIMESTAMP attribute to be updated?

I do see the LASTLOGONTIMESTAMP attribute being updated for a sample-set of computers, however I really want to understand WHEN and WHAT activity is actually causing the AD Computer Object attribute to be updated?

Do Windows 10 clients behave any differently to Windows 8 clients or Windows 7 (on MS ESU of course) for that matter?

Would really would like to see a knowledge base article from Microsoft on this, would be super-helpful.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,368 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2021-02-03T02:13:15.52+00:00

    Hello,

    Thank you so much for posting here.

    "Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met."

    More information about when to update this attribute, we could refer to the below articles from Microsoft.

    https://learn.microsoft.com/zh-tw/archive/blogs/askds/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works

    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. [Kat_21] 21 Reputation points
    2021-02-09T15:44:50.77+00:00

    I decided to do some testing myself.

    Wrote a script to hoover up all the DCs in my domain. Check-in with each of these for computer attributes: lastlogontimestamp, lastlogon

    $array = @()
    foreach ( $dc in (Get-ADDomain | select replicadirectoryservers) ) {
        foreach ( $server in $dc.replicadirectoryservers ) {
            Write-Host $server -ForegroundColor Yellow
            $comp = $null
            $comp = get-adcomputer computer01 -Properties lastlogontimestamp, lastlogon -Server $server
            $comp = $comp | select * , 
            @{name = "LastLogonFormatted"; e = {[datetime]::FromFileTime($_.lastlogon) }}, 
            @{name = "DC" ; e = { $server}}, 
            @{name = "LastLogontimestampFormatted"; e = {[datetime]::FromFileTime($_.lastlogontimestamp) }}
            $array += $comp }}
    $array | select lastlogon, lastlogonformatted, lastlogontimestamp, lastlogontimestampformatted | sort lastlogon | ft -AutoSize
    

    I then ran "GPUPDATE / FORCE" (elevated CMD shell) and the lastlogon attribute was updated @15:18!

    lastlogon LastLogonFormatted lastlogontimestamp LastLogontimestampFormatted

    132545257239756613 07/01/2021 20:42:03 132569096140516597 04/02/2021 10:53:34
    132545338445607419 07/01/2021 22:57:24 132569096140516597 04/02/2021 10:53:34
    132569327705215235 04/02/2021 17:19:30 132569096140516597 04/02/2021 10:53:34
    132573551762711034 09/02/2021 14:39:36 132569096140516597 04/02/2021 10:53:34
    132573575111639905 09/02/2021 15:18:31 132569096140516597 04/02/2021 10:53:34

    I did carry out some other activities whilst on the network but these never updated the lastlogon attribute, these were:

    • Open Excel doc from network share
    • Invoke tasks in SCCM configuration manager actions tab; Hardware Inventory, Application Dep. Eval
    • Mapped n/w drive in cmd (not elevated) to network share
    • net start bits (started BITs service)

    Kat

    0 comments No comments

  3. Hannah Xiong 6,276 Reputation points
    2021-02-10T03:02:37.953+00:00

    Hello,

    Thank you so much for your feedback.

    As for what activities cause a computer to update this attribute, so sorry that there seems to be no tech doc from MS clearly talking about this. Below is the similar discussion, we could kindly have a check.

    https://social.technet.microsoft.com/Forums/lync/en-US/a9be0aa3-048a-4d81-88b2-96c80989f655/when-does-the-computer-lastlogontimestamp-update?forum=winserverDS

    Thanks so much for your time to do the testing. The testing will be of great help to understand this question. It will also be very beneficial for other community members who have similar question.

    Your understanding and support are greatly appreciated.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.