Interpreting LastLogon vs. LastLogonTimestamp

Johannes B. Latzel

7/29/23, 7:16 AM

To get the time of last logon of an account in an Active Directory of a Windows domain im querying the LastLogon attribute on every Domain Controller and the LastLogonTimestamp on one domain controller. For the specific user account that im currently looking into there are LastLogon attributes with values >= 180d which makes sense since the user account should not have been used recently. But the LastLogonTimestamp has a value of about 12h. I read the replication requirements of LastLogonTimestamp and i also read up on LastLogon and that it does not get replicated which is why I query the value from every Domain Controller.

Can someone explain to me how it is possible for the LastLogonTimestamp to be more recent than every single LastLogon value from every Domain Controller? What am I missing?

215

0 + 0

active-directory

domain-controller

timestamp

Score:3

Server

Greg Askew

7/29/23, 10:55 AM

LastLogonTimeStamp can be updated without an actual logon from the account, due to the Kerberos impersonation model.

How LastLogonTimeStamp is Updated with Kerberos S4u2Self

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/ba-p/257135

LastLogonTimeStamp is provided as a convenience. For organizations that have hundreds of DC's and a disjointed network topology, it may not be possible to query every DC directly for LastLogon. However, if you do have access to every DC and are querying LastLogon, you don't need LastLogonTimeStamp.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Interpreting LastLogon vs. LastLogonTimestamp

TH: การตีความ LastLogon กับ LastLogonTimestamp

RO: Interpretarea LastLogon vs. LastLogonTimestamp

RU: Интерпретация LastLogon и LastLogonTimestamp

VI: Phiên dịch LastLogon so với LastLogonTimestamp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.