- The difference
- How to retrieve or view values
- Which is most accurate
- How ADAudit Plus helps
Every Active Directory (AD) object's identity is defined by a set of related fields known as AD attributes. These attributes both describe objects and shape how they operate, access resources, and behave in an organization's network. Attributes are the fundamental units of data for an AD object.
lastLogon vs. lastLogonTimestamp attributes
AD attributes store information about all objects, including user accounts and computer objects. Whenever a user logs in, the logon time is stored in two attributes: lastLogon and lastLogonTimestamp.
Both might sound the same, but technically, they are two distinct attributes.
| Event ID | Description |
|---|---|
| This attribute stores the time at which a user is authenticated by a domain controller. | This attribute stores the time when a user logs in, if the difference between the current logon time and attribute's previous value exceeds a certain threshold value. ( ~14 days , by default). |
| This value can vary from one domain controller to another. | This value is unified and consistent across all domain controllers. |
Both the attributes are stored in AD as numeric (large integer) values with a length of 8 bytes (64-bit). The values of these attributes are stored as Windows FILETIME values since January 1601 (UTC).
Note
lastLogon Timestamp is updated based on the value of another attribute, msDS-LogonTimeSyncInterval. By default, the value for this attribute is <not set> i.e, 14 days (minus a random value of zero to five days). However, you may set it to a different value to decide how often the timestamp is updated among your domain controllers.
How to retrieve or view values of a particular AD attribute
The Attribute Editor is a hidden tab within Active Directory Users and Computers (ADUC) that has a list of attributes and their values for an AD object.
To enable the Attribute Editor:
- Open ADUC and click View > Advanced Features.
- Right-click an AD object > Properties > Attribute Editor to view the attributes of that object.
To retrieve the lastLogonTimestamp using PowerShell commands:
$samAccountName = "<useraccountname>"
$user = Get-ADUser $samAccountName -Properties lastLogonTimestamp// Returns an integer value.
$lastLogonTimestamp = [datetime]::fromFileTime($user.lastLogonTimestamp)
Write-Output $lastLogonT//Returns in date-time format.
To retrieve the lastLogon values using PowerShell commands:
Since the attribute is not replicated, the value in each domain controller differs. To identify the latest timestamp, values from all the domain controllers should be collected and compared. The below PowerShell commands help you retrieve the latest lastLogon value for a user.
$dcs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
$samAccountName = "<useraccountname>"
$lastLogon = [datetime]::MinValue
foreach ($dc in $dcs) {
try {
$user = Get-ADUser $samAccountName -Server $dc -Properties LastLogon
$lastLogonToCheck = [datetime]::FromFileTime($user.LastLogon)
if ($lastLogonToCheck -gt $lastLogon) {
$lastLogon = $lastLogonToCheck }
} catch {
Write-Warning "Failed to query $dc for user $samAccountName: $_"
continue
}
}
if ($lastLogon -eq [datetime]::MinValue) {
Write-Output "No LastLogon data found for user '$samAccountName'."
} else {
Write-Output "Most recent LastLogon for '$samAccountName': $lastLogon"
}
Which logon attribute is the most accurate: lastLogon or lastLogonTimestamp?
lastLogon is the most accurate and precise value over lastLogonTimestamp, because the information is updated whenever a user is authenticated. This can be used to assess the logon behavior of users in your organization.
Note
lastLogonTimestamp also serves its purpose. This attribute can be used to identify inactive or stale accounts.
A one-stop solution for all your IT auditing, compliance, and security needs
ADAudit Plus provides capabilities like change auditing, logon monitoring, file tracking, compliance reporting, attack surface analysis, response automation, and backup and recovery for diverse IT systems.
How ADAudit Plus helps in monitoring user logon activity
ManageEngine ADAudit Plus provides a single pane of reporting for all AD changes. It provides real-time, UBA-driven insights to detect suspicious and risky changes. With ADAudit Plus, you can gain full visibility into object modifications, logons, account lockouts, permission changes, file activity, and more.
With ADAudit Plus, you can:
- Track the logon history of all users based on domain controllers in your AD environment with real-time user logon tracking reports.
- Identify anomalies in user logon behavior, such as logons at irregular times using user behavior analytics.
- Monitor your employees' productivity, including your administrators, using our employee time tracking reports.
- Track real-time changes made to your user attributes, along with their new and old values, using object attribute changes reports.
- Adequately satisfy the regulatory auditing requirements of the GDPR and HIPAA with compliance audit reports.
- Detect over 25 common AD attacks—such as Kerberoasting, brute-force attacks, etc.—using the attack surface analyzer.
Try all these features and more for free with a 30-day trial. Or hop on a call with our technical experts to learn how ADAudit Plus can help.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
