7,023 questions
P.S. Exactly the same question - still unaswered...
Blank LastLogon field
Mikhail Firsov
1,881
Reputation points
Hello!
Would anyone please tell me in wich case the user account's LastLogon attribute may display 0 on all domain controllers if the LastLogonDate for this account is NOT empty?
Thank you in advance,
Michael
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
5 answers
Sort by: Most helpful
-
-
Gary Reynolds 9,621 Reputation points2022-06-05T12:06:11.907+00:00 The post you referenced, contains pretty much all the information that is available on the attributes and how they are updated. You might need to raise a call with Microsoft if you are looking for more detail.
Gary.
-
Mikhail Firsov 1,881 Reputation points
2022-06-06T13:04:16.64+00:00 Hi GaryReynolds,
Yes, that post does contain much information on attributes but it does contain the answer to the question :)
Seems strange to me that no one has found the answer since 2018... What's the purpose of having many attributes if you can't understand what they are telling you :(
Regards,
Michael -
Gary Reynolds 9,621 Reputation points
2022-06-07T02:55:36.57+00:00 There are a number of factors that impact the logon attributes, you need to consider all of these to understand the results
- AD logon information is decentralized
- AD attributes are not authoritative for authentication information
- Domain Services supports multiple authentication methods, not all of them update the user's attributes
- Powershell returned interpreted values for attributes and properties that are not linked to attributes
Event logs are authoritative for logon information, this is also decentralized and volatile.
Gary.
-
Mikhail Firsov 1,881 Reputation points
2022-06-07T10:42:35.323+00:00 Hi GaryReynolds,
Yes, I agree, but I don't know any factor that could explain how in the company with two DCs there may be user accounts that doesn't seem to have ever logged on to any of these DCs but still have LastLogonDate populated.
-
Gary Reynolds 9,621 Reputation points
2022-06-07T11:41:05.983+00:00 The LastLogonDate is not an attribute of a user object, it is a created properties retuned by a powershell command, I can't be sure how this property will be represented if some or all of the attributes it's based on don't exist.
Have a look at this article which will display the actual attribute values and maybe share the details of one of the user accounts which has the wrong logon details.
You can also use this article to get the meta data of the user object, and check if the originating DC entry for the LastLogonTimeStamp attribute shows a DC name or if it shows DeletedDSA as in the example below, for the instanceType attribute, this means that the attribute was set on a DC that is no longer in the environment.
https://nettools.net/how-to-display-the-meta-data-of-an-ad-object/
Gary.
-
Gary Reynolds 9,621 Reputation points
2022-06-09T11:38:28.41+00:00 Just checking if there is any feedback or update on this one?
-
Mikhail Firsov 1,881 Reputation points
2022-06-09T12:43:28.08+00:00 Oh, it's weird... my reply to your last comment is missing...
1) Thank you very much for the interesting articles!
2) All enabled user accounts that don't have PasswordLastSet have no metadata at all:
...so I think it's just the "remnants" of the migration process from old domain controllers to the new ones (it was ~in 2014). The main problem here is the LastLogonDate: for ALL accounts without PLS it is more recent then 2014... if those accounts have never been used since 2014 why their lastLogonDate is NOT ~2014 (later then 2014) ?
Regards,
Michael -
Gary Reynolds 9,621 Reputation points
2022-06-09T13:47:14.007+00:00 The meta data not showing might be a unicode issue and the DN not being converted to utf-8 within nettools, I'll have a look at that tomorrow. Are you able to share a screenshot of the last logon test for the same user?
-
Mikhail Firsov 1,881 Reputation points
2022-06-09T14:27:52.867+00:00 Yes, of course - thank you!
-
Gary Reynolds 9,621 Reputation points
2022-06-10T08:28:38.9+00:00 Yep there is an issue with unicode conversion, and it will take a bit of effort to resolved, not helped by the display framework doesn't support unicode.
The query below can be used to display the meta data details and the other logon info. You can use this page on how to import the query into NetTools, this page has the details on how to import the query https://nettools.net/ldap-search-favorites/
[Get User Meta Data] Options=879892770722381 Server= BaseDN=##default Filter=(&(objectclass=*)(sAMAccountName={userinput:Name})) Attributes=meta.dc.lastlogontimestamp, meta.time.lastLogonTimestamp, lastlogon, lastlogontimestamp, logoncount, pwdlastset DisplayFilter= Filename= Sort= Controls= Authentication=1158 Separator=,Gary.
-
Mikhail Firsov 1,881 Reputation points
2022-06-10T11:04:14.253+00:00 GaryReynolds, thank you so much for the help, I'll see that article!
Sign in to comment -