TL;DR – If you want the most accurate logon time, you must query the
lastLogon attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read
lastLogonTimestamp from the closest domain controller.
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user’s last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time –
msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
- Both dates are stored as a
Int64in .Net/PowerShell) if you retrieve them programatically.
- PowerShell also provides a
LastLogonDateproperty. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is the
lastLogonTimestampconverted to a l̲o̲c̲a̲l̲