How to Generate True Last Logon Security Reports in Active Directory

As an IT administrator you may need to determine the last time a user used their Active Directory domain user account to logon. For instance, last logon values are required to generate and furnish a list of stale domain user accounts.


Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon, but this is not a replicated attribute, so IT administrators need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time. The actual last user logon value is also commonly referred to as True Last Logon. There are two steps to determining the true last logon time of a domain user account. The first step involves obtaining the value from each DC in the domain, and the second step involves comparing these values (taking into account Integer8 syntax) to arrive at the true last logon value for the user.

In order to read the lastLogon attribute, you must have appropriate Active Directory security permissions as well, because without it you will not be able to read the value of this attribute. Fortunately, the security descriptor is replicated so you don't need to worry about the permissions being replicated.


There are many Active Directory Reporting Tools that can help IT administrators automatically generate True Last Logon reports. Some of these tools are also available in Free Editions, and can help IT admins instantly fulfill their Active Directory security reporting needs for audit and compliance.


True Last Logon reports are essential for security, and can help organizations identity and clean up stale/inactive domain user accounts in their Active Directory. Automated tools provide an advantage over many queries or over semi-automated PowerShell scripts.

No comments:

Post a Comment