"Last logon time" & "Last time the account was authenticated by AD

Environment: Windows 200

Are "Last logon time" and "Last time the account was authenticated by AD"
the same? We have the requirement to identify the last time that account was
used or accessed.

Currently I am generating a report that will query all the DCs and will get
the updated Last logon time. But this is not always correct?

"Last logon time" & "Last time the account was authenticated by AD" the same?

 

Auditing guys asked me the same thing and I used DumpSec to query that from AD.
They were satisfied.

 

Yes, the last time an account authenticated in AD will be the date/time that
corresponds to the value of the lastLogon attribute. Just remember that the
lastLogon attribute is not replicated. For any user or computer object a
different value is saved on every Domain Controller. You must query all DC's
in the domain to get the largest (latest) value.

For most purposes, the lastLogonTimeStamp attribute will suffice. This
attribute is only updated during logon if the old value is at least 14 (by
default) days in the past, but the value is replicated. You only need to
query one DC (any DC). The value is accurate if it corresponds to a date
more than 14 days in the past.

Both attributes are Integer8, so they are 64-bit numbers representing dates
in UTC as the number of 100-nanosecond intervals since 12:00 AM January 1,
1601. The 64-bit value must be converted to a date/time in the current time
zone.

I believe you can use Joe Richards' oldcmp utility for this:

http://www.joeware.net/win/free/tools/oldcmp.htm

And I have a VBScript program to retrieve lastLogon for all users in the
domain linked here:

http://www.rlmueller.net/Last Logon.htm

 

I should have stated that the lastLogonTimeStamp attribute is only available
if the domain is at Windows 2003 functional level. It is replicated. The
lastLogon attribute is never replicated.

 

Hi All,

Thank you for responses. I do have a script that extracts last logon details
of all the users in the domain. It quires all the domain controller and get
the update value.

My question is, Is the "Last logon time" & "Last time the account was
authenticated" the same?

Example:

"User A" is logged on the computer and trying to access one of the
application or any resource using "User B" account. Will the last logon time
stamp change for User B?

Hi All,

Thank you for responses. I do have a script that extracts last logon details
of all the users in the domain. It quires all the domain controller and get
the update value.

My question is, Is the "Last logon time" & "Last time the account was
authenticated" the same?

Example:

"User A" is logged on the computer and trying to access one of the
application or any resource using "User B" account. Will the last logon time
stamp change for User B?

 

Yes, they are the same. I find that lastLogon is updated whenever
credentials (username and password) are supplied, even by a different user.
It's the last time the DC authenticated the username\password combination.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net