locked
Lastlogin dates don't match RRS feed

  • Question

  • Because of an Audit we are having to go through some of our Disabled AD users.

    In powershell when I run

    net user "Username"

    I get a last logindate = to the day we disabled these accounts in our records.  However when I run

    Get-aduser –properties lastlogondate

    The date shows a completely different date several months later.  This is a little concerning as you might imagine.  I am trying to determine if this is a genuine login or if there is something else. 

    I would like to know why these dates don't match and if possible what action would cause the second date to be different.I have tested OWA mailbox logins to see if that would do it and the date did not change.

    thank you for your help.


    • Edited by LisCestes Monday, October 17, 2016 5:26 PM
    Monday, October 17, 2016 5:26 PM

Answers

  • In AD there is an attribute called lastlogontimestamp and you can read about it here:  https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/

    There is also lastlogon which is not replicated in AD.  Determine which attributes you are comparing and make sure it is like for like.

    Here is a good link and Mr. Mueller may chime in.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/70227035-6fcd-4d7f-958e-f9b2dd325cd8/finding-the-accurate-last-logon-time-of-an-ad-account?forum=winserverDS


    • Edited by vaadadmin2010 Monday, October 17, 2016 7:20 PM
    • Proposed as answer by Wendy Jiang Friday, October 21, 2016 9:09 AM
    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Monday, October 17, 2016 7:18 PM
  • Hi,
    Generally, we might be confused by the following attributes.
    Last-Logon-Timestamp Attribute: This is the time that the user last logged into the domain. Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
    Last-Logon Attribute: The last time the user logged on. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
    LastLogonDate: LastLogonDate is a converted version of LastLogontimestamp. It’s a locally calculated value of the replicated value.
    Please check:
    Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, October 21, 2016 9:09 AM
    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Tuesday, October 18, 2016 8:01 AM
  • LisCestes, you seem to be saying that the lastLogonTimestamp attribute of the user has a more recent value (when converted into a datetime value) than any lastLogon value for the user on any DC. The only reference I can find that might explain is this blog post:

    https://blogs.technet.microsoft.com/askpfeplat/2014/04/13/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/

    This blog post states:

    ===== quote =====

    LastLogonTimeStamp might not always be updated by an actual Logon. S4u2Self requests for access checks can update the attribute. In order to track down the requests that are updating the account, you need to dump the metadata for the account, locate the DC that updated the attribute and parse the logs for the 4769 Kerberos Service Ticket Operation made at the same time. The machine making the request will log a 4624 Logon Event.

    ===== end of quote =====

    S4u2Self is a Kerberos Operation known as Service-for-User-to-Self, in which a client/service can request a ticket for a user that is only useful for things like determining Access Checks or Group Membership.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Friday, October 21, 2016 3:13 PM

All replies

  • In AD there is an attribute called lastlogontimestamp and you can read about it here:  https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/

    There is also lastlogon which is not replicated in AD.  Determine which attributes you are comparing and make sure it is like for like.

    Here is a good link and Mr. Mueller may chime in.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/70227035-6fcd-4d7f-958e-f9b2dd325cd8/finding-the-accurate-last-logon-time-of-an-ad-account?forum=winserverDS


    • Edited by vaadadmin2010 Monday, October 17, 2016 7:20 PM
    • Proposed as answer by Wendy Jiang Friday, October 21, 2016 9:09 AM
    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Monday, October 17, 2016 7:18 PM
  • Hi,
    Generally, we might be confused by the following attributes.
    Last-Logon-Timestamp Attribute: This is the time that the user last logged into the domain. Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time - msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
    Last-Logon Attribute: The last time the user logged on. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
    LastLogonDate: LastLogonDate is a converted version of LastLogontimestamp. It’s a locally calculated value of the replicated value.
    Please check:
    Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, October 21, 2016 9:09 AM
    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Tuesday, October 18, 2016 8:01 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 21, 2016 9:09 AM
  • LisCestes, you seem to be saying that the lastLogonTimestamp attribute of the user has a more recent value (when converted into a datetime value) than any lastLogon value for the user on any DC. The only reference I can find that might explain is this blog post:

    https://blogs.technet.microsoft.com/askpfeplat/2014/04/13/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/

    This blog post states:

    ===== quote =====

    LastLogonTimeStamp might not always be updated by an actual Logon. S4u2Self requests for access checks can update the attribute. In order to track down the requests that are updating the account, you need to dump the metadata for the account, locate the DC that updated the attribute and parse the logs for the 4769 Kerberos Service Ticket Operation made at the same time. The machine making the request will log a 4624 Logon Event.

    ===== end of quote =====

    S4u2Self is a Kerberos Operation known as Service-for-User-to-Self, in which a client/service can request a ticket for a user that is only useful for things like determining Access Checks or Group Membership.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Wendy Jiang Tuesday, October 25, 2016 8:44 AM
    Friday, October 21, 2016 3:13 PM