Description:In this article, I am going to explain the difference between LastLogon vs LastLogonTimeStamp in Active Directory and how to find the True Last Logon value of an user from these two attributes.
- Both are Active Directory Schema attributes which are used to hold an user's Last Logon Time in two different ways.
- LastLogon is the Non-Replicable attribute. It means the value of this attribute is specific to a Domain Controller
- LastLogonTimeStamp is the Replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute
Before going to explain the clear difference, here I would like to recall the terms Replication and Non-Replicable attributes.
ReplicationIn Active Directory, objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.
Non-Replicable attributesNon replicable attributes are attributes that contains locally unique content on each domain controller. The information stored within such attribute is not replicated between domain controllers.
LastLogonLastLogon is nothing but the latest time of a user logged on into AD based system, which is non replicable attribute. It means the value of this attribute is specific to Domain Controller. So we can't say the user's True LastLogon time by simply querying only one DC. To get an accurate value for the user's last logon in the domain, the LastLogon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the True LastLogon time for that user.
Consider the user User1 and domain controllers DC1 and DC2.
- User1 logs in to DC1 on the time T1
- User1 logs in to DC2 on the time T2
LastLogonTimeStampLastLogonTimeStamp is the replicable attribute but this attribute is not updated every time a user successfully logs in. This attribute is updated only when its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute.
Consider the user User1 and domain controller DC1.
i.e. msDS-LogonTimeSyncInterval = 14 days
i.e. Current value of LastLogonTimeStamp = T1 (current value)
- Take User1 logs in to DC1 on the time T2 (current time)
If (T2-14 days) >T1 then LastLogonTimeStamp is updated by the value T2 or else it remain as T1.
Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2 and Windows Server 2012.
- How to: Tack AD Account Lockout Root Cause
- AD Account Logon Audit Events
- How to enable Active Directory Change events
- Logon/Logoff Events in Active Directory
- Active Directory Change Event IDs
- Account Lockout Policy in Active Directory