Home » PowerShell » Difference between Active Directory LastLogon and lastLogonTimestamp

Difference between Active Directory LastLogon and lastLogonTimestamp

In an organization, PowerShell active directory contains an account for every user. Over the period of time, employee leave the organization, these account sometime may remain in active directory.

Such unused or stale account uses space in active directory database and poses a security threat as well. As an active directory admin, these inactive account or stale account need to removed.

PowerShell Active directory provides two attributes lastlogon and lastlogontimestamp that store user last logon time.

In this blog post, we will see difference between active directory lastlogon and lastlogontimestamp.

  • lastlogon : When the user log on to the system, lastlogon attribute is updated on domain controller that provides authentication only. Attribute not replicated and maintained separately on each domain controller in the domain.

This is very much helpful to find out latest ad user login. As lastlogon value is specific to domain controller,hence in order to get accurate value of user lastlogon value, value must be retrieved from every domain controller.

Largest lastlogon value retrieved is True last logon time for ad user account.

  • lastlogontimestamp :lastlogontimestamp is replicable attribute. This attribute value not updated every time when user log on.

This attribute updated when current value for lastlogontimestamp is older than current time minus the value of ms-DS-Logon-Time-Sync-Interval attribute. Default value this setting is ‘NOT SET’ but defaults to 14 days.

  • lastlogondate: lastlogondate is a converted version of lastlogontimestamp. lastlogondate is a calculated value from replicated value. It gives you simple way to query using date formats and retrieve list of accounts.

Cool Tip: How to get OS system version of Domain Controllers in PowerShell!

Conclusion:

I hope you may find difference between lastlogon and lastlogontimestamp useful.

Using PowerShell Active Directory attributes, it will help you to find out aduser accounts which are not in use from longer time, disable it and remove it.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.

Leave a Comment