Thursday, 25 July 2013

LastLogon vs LastLogonTimeStamp

Description:

In this article, I am going to explain the difference between LastLogon vs LastLogonTimeStamp in Active Directory and how to find the True Last Logon value of an user from these two attributes.

Summary:

  • Both are Active Directory Schema attributes which are used to hold an user's Last Logon Time in two different ways. 
  • LastLogon is the Non-Replicable attribute. It means the value of this attribute is specific to a Domain Controller
  • LastLogonTimeStamp is the Replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute

Before going to explain the clear difference, here I would like to recall the terms Replication and Non-Replicable attributes.

Replication

   In Active Directory,  objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

Non-Replicable attributes

    Non replicable attributes are attributes that contains locally unique content on each domain controller. The information stored within such attribute is not replicated between domain controllers.

LastLogon

    LastLogon is nothing but the latest time of a user logged on into AD based system, which is non replicable attribute. It means the value of this attribute is specific to Domain Controller. So we can't say the user's True LastLogon time by simply querying only one DC. To get an accurate value for the user's last logon in the domain, the LastLogon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the True LastLogon time for that user.

  Example

      Consider the user User1 and domain controllers DC1 and DC2.
  • User1 logs in to DC1 on the time T1
  • User1 logs in to DC2 on the time T2            
  Now to find user's True Last Logon, we need to query two DCs and find the values T1 and T2. Then we can get the latest value by comparing T1 and T2 as True LastLogon time.

LastLogonTimeStamp

     LastLogonTimeStamp is the replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute.

Example

      Consider the user User1 and domain controller DC1.

     i.e. msDS-LogonTimeSyncInterval = 14 days
     i.e. Current value of LastLogonTimeStamp = T1 (current value)

  • Take User1 logs in to DC1 on the time T2 (current time)
   LastLogonTimeStamp value will be updated only if the following case get satisfied.

    If  (T2-14 days) >T1  then LastLogonTimeStamp is updated by the value T2 or else it remain as T1.

Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2 and Windows Server 2012.

Related Articles:

How to: Tack AD Account Lockout Root Cause
AD Account Logon Audit Events
How to enable Active Directory Change events
Logon/Logoff Events in Active Directory
Active Directory Change Event IDs
Account Lockout Policy in Active Directory

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

2 comments: