I'm using lastLogonTimeStamp to track the users last logon time as the following code:
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain"
$ADSearch.SearchScope = "subtree"
$ADSearch.PageSize = 100
$ADSearch.Filter = "(objectClass=user)"
$properies = @("distinguishedName",
"sAMAccountName",
"mail",
"lastLogonTimeStamp")
foreach ($pro in $properies) {
$ADSearch.PropertiesToLoad.add($pro)
}
$userObjects = $ADSearch.FindAll()
foreach ($user in $userObjects) {
$logon = $user.Properties.Item("lastLogonTimeStamp")[0]
$lastLogon = [datetime]::fromfiletime($logon)
$lastLogon= $lastLogon.ToString("yyyy/MM/dd")
$lastLogon
}
I've gotten so far:
1601/01/01
1601/01/01
3/12/2012
1601/01/01
3/19/2015
This is not the first time I'm bloody confused about the 1601/01/01 value. And I've read also the MS document about this value and for me it's nonsense, it does not describe much what is the purposes of it. Not only lastLogonTimeStamp
has this output, many other attributes have return this as well. So my questions are:
Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action.
The main difference between lastlogon and lastLogonTimeStamp is that lastlogon is updated on the Domain Controller after the user interactive logon while lastLogonTimeStamp is replicated to all Domain Controller in AD Forest, the default value is 14 days.
Lastlogon is precise but shows when the user logged in to that specific DC and is not replicated to others. Basically Lastlogontimestamp is great for your purpose of finding stale objects in AD, but it is not very precise.
There is a known bug with the "last logon timestamp" and Windows 2016 domain controllers.
LDAP simple bind are not updating the last logon timestamp like previous OS ( 2012, 2008 ). Be careful.
I spent 2 months with MS on this. A patch will be released eventually... but for now it's not fixed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With