Active Directory True Last Logon based on LastLogon

If you are an IT administrator and need to determine the last time a user used their Active Directory domain user account to logon, also commonly referred to as True Last Logon, you will need to read the value of the lastLogon attribute on domain user and computer accounts.


The problem however is that this attribute is not a replicated attribute and thus in order to do so, you will need to query each Domain Controller in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time.


Thus there are two steps to determining the True Last Logon Time in Active Directory of a domain user account. The first step involves obtaining the value from each DC in the domain, and the second step involves comparing these values (taking into account Integer8 syntax) to arrive at the true last logon value for the user.


You could either write your own scripts to determine the True Last Logon value for user accounts, or use 3rd party scripts (often untested or unreliable though). Alternatively, you could use 3rd party tools to generate Last Logon reports.


For additional information, you can read this helpful article on True Last Logon over at the Active Directory Security dot com website.

No comments:

Post a Comment