7 min readLast Updated on February 10, 2025 by Satyendra
Proactively auditing a LastLogon, LastLogonTimeStamp, and LastLogonDate in Active Directory will help you understand your users’ behavior in more detail. This is essential to account management, security monitoring, and compliance.
This blog explains the importance of these attributes, the distinctions between them, and their contributions to security and operation improvements.
What are Active Directory Logon Attributes?
The security identifiers of operations in Active Directory are fundamental parameters that contain information on the user’s authorization process. They enable administrators to track access activity and identify potential issues, such as users who have not logged in for a long time.
For instance, when an organization requires identifying accounts that have been inactive for, say, 90 days, it will use LastLogonTimeStamp. On the other hand, forensic investigations demand the exact results of LastLogon, which records when a user logged on to a specific Domain Controller (DC).
What is the LastLogon Attribute?
The LastLogon attribute stores when a user has logged in the last on a particular Domain Controller. This attribute is non-replicated, implying that it is present at every DC as a distinct realization. It has the best logon data but to get the overall information about the domain you need to send a query to all the DCs.
The main benefit that can be derived from LastLogon attribute is that it is very accurate. But this is not supported throughout DCs and therefore it’s a bit of a pain for administrators dealing with large environments. In case an organization has five different DCs, then all five will preserve their specific LastLogon for a user.
Using PowerShell to Query LastLogon
To gather a user’s LastLogon from all DCs, you can use PowerShell. This script fetches and aggregates the data:
$Username = "john.doe"
$DCs = Get-ADDomainController -Filter *
$LastLogonResults = foreach ($DC in $DCs) {
Get-ADUser -Server $DC.HostName -Identity $Username -Properties LastLogon |
Select-Object @{Name="DomainController";Expression={$DC.HostName}},
@{Name="LastLogon";Expression={[DateTime]::FromFileTime($_.LastLogon)}}
}
$LastLogonResults | Sort-Object LastLogon -Descending
This script queries all DCs for the user’s LastLogon attribute, returns the results, and sorts them by date.
What is the LastLogonTimeStamp Attribute?
The LastLogonTimeStamp attribute provides a domain-level view of logon activity. Unlike LastLogon, this attribute is updated throughout all the DCs and so data is available on all the DCs for admin use. However, it is updated rather seldom: the default value for this column is 0, which translates into an update only if the user’s last logon was 14 days ago or more.
This attribute equalizes traffic in replication and utility. It is easy to track the inactive accounts and basically, it helps in auditing but it experiences less frequency of updates hence it is not reliable for tracking logon with a high level of precision.
Modifying the Update Frequency
Administrators can adjust the default 14-day interval by modifying the ms-DS-Logon-Time-Sync-Interval attribute in Active Directory. For instance, to change the interval to 7 days, use the following PowerShell command:
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -Partition "CN=Configuration,DC=yourdomain,DC=com" -Add @{msDS-LogonTimeSyncInterval=7}
This adjustment allows more frequent updates, providing relatively current logon data while still minimizing replication traffic.
What is the LastLogonDate Attribute?
The LastLogonDate attribute remains a human-friendly version of the LastLogonTimeStamp attribute. It is the same information presented in a utilizable format by the body to interpret it as needed.
When it is used it is ideal for administrators who want overall information of user actions without converting raw timestamps. Similar to LastLogonTimeStamp, it is also copied on all the other DCs.
Fetching LastLogonDate with PowerShell
To retrieve the LastLogonDate for a user:
Get-ADUser -Identity "john.doe" -Properties LastLogonDate |
Select-Object Name, LastLogonDate
This command outputs the username and their last logon date in a straightforward format, aiding quick reviews.
Key Differences Between LastLogon, LastLogonTimeStamp, and LastLogonDate
| Parameters | LastLogon | LastLogonTimeStamp | LastLogonDate |
|---|---|---|---|
| Replication | Not replicated; unique to each DC | Replicated across all DCs | Derived from LastLogonTimeStamp; replicated |
| Update Frequency | Updated at every logon on the specific DC | Updated if the logon occurs after a threshold (default 14 days) since the last update. | LastLogonDate: Updates in line with LastLogonTimeStamp |
| Accuracy | Most accurate for specific DCs; requires querying all DCs for domain-wide accuracy | Less precise due to infrequent updates; suitable for identifying inactive accounts | Shares the same accuracy as LastLogonTimeStamp but in a readable format |
Importance of Tracking Logon Attributes
- Identifying Inactive Accounts– The frigid account is a major security threat because it is always reopened by attackers. Logon attributes are used to track individuals and make quick decisions about disabled persons’ accounts since they are no longer in use.
- Detecting Suspicious Activity – Abnormal logon to the system especially late at night or early in the morning may be a sign of abused accounts. Some attributes like LastLogon save details of logon sessions helping administrators study a certain event and its occurrence to check on suspected cases of the event.
- Supporting Compliance– Various laws such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) demand that usage by the users of the application must be supervised. Businesses often use logon attributes as an important part of the audit trail to stay compliant.
- Streamlining Audits– Auditing is made easier when data like LastLogonDate is centralized and readable. This makes it easy for administrators to understand trends and patterns hence improving efficiency and reducing the complexity level.
How Lepide Can Help
Lepide Active Directory Auditor provides real-time visibility into user activity and logon events across your entire domain, enabling immediate response to security concerns and anomalies. By continuously monitoring authentication activities, administrators can quickly identify and investigate suspicious patterns or unauthorized access attempts as they occur, rather than discovering them during routine audits. Lepide’s Active Directory Cleanup solution helps to reduce the attack surface by identifying and disabling dormant user accounts, minimizing the risk of unauthorized access.
Beyond real-time monitoring and threat detection, Lepide offers customizable alerting and comprehensive compliance support. Administrators can configure alerts for specific security scenarios, such as failed login attempts, off-hours access, or unusual activity patterns. The system’s detailed logging and reporting capabilities store historical data and generate audit trails that demonstrate compliance with security standards and industry regulations. By leveraging Lepide’s solutions, organizations can gain a comprehensive view of their Active Directory environment, enhance their security posture, ensure compliance, and improve overall IT efficiency.
Ready to Take Control of Your Active Directory Security? Schedule a personalized demo today to see how Lepide can help you monitor logon activities, detect security threats, and maintain compliance in your Active Directory environment.
FAQs
Q. Why isn’t the LastLogonTimeStamp updated after every logon?
To minimize replication traffic, LastLogonTimeStamp updates are designed to occur infrequently, typically every 14 days, unless configured otherwise.
Q. How can I retrieve the most accurate last logon time for a user?
Query the LastLogon attribute on all Domain Controllers and use the most recent timestamp.
Q. Can I modify the update frequency of the LastLogonTimeStamp attribute?
Yes, the update frequency can be adjusted by modifying the ms-DS-Logon-Time-Sync-Interval attribute in the domain configuration.
Q. Is LastLogonDate available by default in Active Directory?
Yes, LastLogonDate is a computed attribute available by default, providing a human-readable format of the LastLogonTimeStamp.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why the AD Account Keeps Getting Locked Out Frequently and How to Resolve It
