Question about AD attrribute LastLogonDate

Charlie Melga 126 Reputation points
2021-06-25T15:34:02.453+00:00

Hello,

Can someone please answer the following

If I have a domain joined computer (server for example) and a service on that computer is running under a user account (not an MSA account)

Let's say the service has been running for 6 months non-stop

would the LastLogonDate be 6 months ago or would it be when the user's (which the service is running under) TGT expires and they have to go get a new one?

In other words does now TGT trigger the LastLogonDate to be updated?

My concern is I look at the users who have not logged on for 6 months, disabled their accounts in AD, only to find a logon running service using that account stops

Any advice most welcome

Thanks
CXMelga

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,622 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. James Hamil 24,926 Reputation points Microsoft Employee
    2021-06-25T19:25:22.543+00:00

    Hi @Charlie Melga , Azure AD doesn't have the LastLogonDate attribute as it's only for on-prem directories. Therefore it cannot sync with information on Azure AD. However, this thread details how you can work around this:

    Users by name: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity

    Users by date: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z

    You can find more information about this here: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

    Please let me know if you have any questions!

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James

    1 person found this answer helpful.
    0 comments No comments

  2. Charlie Melga 126 Reputation points
    2021-06-26T08:38:09.283+00:00

    Hi James

    Thanks very much for taking the time to reply to my question

    However my question was specifically related to On-Premise (rather than Azure AD)

    My concern was an SQL database for example running under a standard Service Account (human based user account. lets' say SQLSrvAcc) which has been running for 6 months without a reboot. Would show a LastLogonDate for user SQLSrvAcc of 6 months ago (when actually the user is active and running the SQL database). So If I then disabled the AD user SQLSrvAcc I could stop the SQL database from running (even if only on the next reboot perhaps)

    So I wanted to understand 'when' is the LastLogonDate attribute updated (I understand about the 9 to 14 day skew). Will the SQLSrvAcc LastLogonDate attribute get updated every time the user requests a new TGT (e.g. SQLSrvAcc is still active but their TGT expires so they need to get a new one, despite the fact they have not actually logged out).

    Can anyone else also feed into this please

    Thanks very much
    CXMelga

    1 person found this answer helpful.
    0 comments No comments

  3. Hannah Xiong 6,276 Reputation points
    2021-06-28T02:37:27.987+00:00

    Hi @Charlie Melga ,

    Thanks for posting here.

    In my lab, SQL database is running under a standard service account, and when it runs under this service account, the service account's LastLogon attribute will be updated.

    109706-image.png

    109705-image.png

    109693-image.png

    LastLogonDate is a converted version of LastLogontimestamp. He was technically right. It’s not a replicated attribute. Instead, it’s a locally calculated value of the replicated value.

    The LastLogontimeStamp attribute is not updated with all logon types or at every logon. Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met.

    How does AD know when to update this attribute?

    • When the user logs on, the DC will pull the current value for lastlogontimestamp.
    • A value is generated for comparison. (14 minus a random percentage of 5 = valueforcomparison) (This generates a threshold of less than 14 days for updating)
    • The previous timestamp is subtracted from the current time.
    • If the time difference between the last timestamp is greater than the comparisonvalue, the attribute is updated ( = It has been too long, it updates, the attribute replicates)
    • If the time difference is still less than the comparison value, then it hasn’t been long enough and the attribute won’t be updated yet.

    Reference: https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    Best regards,
    Hannah Xiong


  4. Charlie Melga 126 Reputation points
    2021-07-12T14:25:32.153+00:00

    Hello Hannah Xiong

    Thank you very much for taking the time to reply, much appreciated and apologies for the last reply.

    You mentioned above "The LastLogontimeStamp attribute is not updated with all logon types or at every logon" Network, and Service logons will update the lastLogontimeStamp

    I the logon types are the following URL https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

    Does this mean Interactive Logon (logon at the console) does not update the LastLogonDate? or did you just specify a couple of examples above, please

    What I am interested in mostly is what type of logon 'does not' update the LastLogonTimeStamp (LastLogonDate).

    Thanks very much again for your time
    CXMelga

    0 comments No comments

  5. Hannah Xiong 6,276 Reputation points
    2021-07-13T05:12:24.153+00:00

    Hello CXMelga,

    You are welcome. Thank you so much for your kindly reply.

    "The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts.

    Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met. "

    The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain. The decision to update the value is based on the current date minus the value of the (ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5). If the result is equal to or greater than lastLogontimeStamp the attribute is updated.

    So interactive logon will update the lastlogontimestamp. The update could be triggered by Interactive, Network, Batch and Service logons.

    A Network logon occurs when you access remote file shares or printers. Also, most logons to IIS are classified as network logons.

    Service logon is used for services and accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.

    Batch logon is used for scheduled tasks. When the Task Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created.

    According to my research, as of Windows 2003 SP1 these logon types will NOT update lastLogontimeStamp.
    • Certificate mapping through Microsoft Internet Information Services (IIS).
    • Microsoft .NET Passport mapping through IIS.

    Hope it helps. Thanks very much for your support.

    Best regards,
    Hannah Xiong

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.