3

To get the time of last logon of an account in an Active Directory of a Windows domain im querying the LastLogon attribute on every Domain Controller and the LastLogonTimestamp on one domain controller. For the specific user account that im currently looking into there are LastLogon attributes with values >= 180d which makes sense since the user account should not have been used recently. But the LastLogonTimestamp has a value of about 12h. I read the replication requirements of LastLogonTimestamp and i also read up on LastLogon and that it does not get replicated which is why I query the value from every Domain Controller.

Can someone explain to me how it is possible for the LastLogonTimestamp to be more recent than every single LastLogon value from every Domain Controller? What am I missing?

Johannes B. Latzel
  • 53
  • 1
  • 4

1 Answers1

3

LastLogonTimeStamp can be updated without an actual logon from the account, due to the Kerberos impersonation model.

How LastLogonTimeStamp is Updated with Kerberos S4u2Self

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/ba-p/257135

LastLogonTimeStamp is provided as a convenience. For organizations that have hundreds of DC's and a disjointed network topology, it may not be possible to query every DC directly for LastLogon. However, if you do have access to every DC and are querying LastLogon, you don't need LastLogonTimeStamp.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82