Home » PowerShell » Difference between Active Directory LastLogon and lastLogonTimestamp

Difference between Active Directory LastLogon and lastLogonTimestamp

by

In an organization, the PowerShell active directory contains an account for every user. Over the period of time, employees leave the organization, these accounts sometimes may remain in the active directory.

Such unused or stale account uses space in the active directory database and poses a security threat as well. As an active directory admin, these inactive accounts or stale accounts need to be removed.

The PowerShell Active directory provides two attributes lastlogon and lastlogontimestamp that stores user’s last logon time.

In this blog post, we will see the difference between active directory lastlogon and lastlogontimestamp.

  • lastlogon : When the user log on to the system, lastlogon attribute is updated on the domain controller that provides authentication only. Attributes are not replicated and maintained separately on each domain controller in the domain.

This is very helpful to find out the latest ad user login. As the lastlogon value is specific to the domain controller, hence in order to get an accurate value of user lastlogon value, the value must be retrieved from every domain controller.

Largest lastlogon value retrieved is True at the last logon time for an ad user account.

  • lastlogontimestamp :lastlogontimestamp is a replicable attribute. This attribute value is not updated every time the user logs on.

This attribute is updated when the current value lastlogontimestamp is older than the current time minus the value of ms-DS-Logon-Time-Sync-Interval attribute. The default value of this setting is ‘NOT SET’ but defaults to 14 days.

  • lastlogondate: lastlogondate is a converted version of lastlogontimestamp. lastlogondate is a calculated value from replicated value. It gives you a simple way to query using date formats and retrieve a list of accounts.

Cool Tip: How to get the OS system version of Domain Controllers in PowerShell!

Conclusion:

I hope you will find the difference between lastlogon and lastlogontimestamp useful.

Using PowerShell Active Directory attributes will help you to find out aduser accounts which are not been in use for a long time, disable them and remove them.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.