TL;DR – If you want the most accurate logon time, you must query the lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp from the closest domain controller.


lastLogon

This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user’s last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.

https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks


lastLogonTimestamp

Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time – msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.

https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp


Notes:

  1. Both dates are stored as a FILETIME (Int64 in .Net/PowerShell) if you retrieve them programatically.
  2. PowerShell also provides a LastLogonDate property. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is the lastLogonTimestamp converted to a l̲o̲c̲a̲l̲ DateTime value.

Leave a Reply

Your email address will not be published. Required fields are marked *