Photo by Christina Morillo on Pexels.com

Purpose

Active Directory accounts can become redundant over the time and we should remove them for cleanup and have good security posture.

Which attribute can be trusted ?

There are 2 attributes and It is on your requirement if you are okay with some delay of Last Logon Timestamp.

  • lastlogontimestamp – Replicated to all domain controllers but has 14 days of delay
  • lastlogon – Not Replicated and need to be queried on each domain controller

“ms-DS-Logon-Time-Sync-Interval value in domain default naming context controls what is the frequency of replicating the value to AD, It is by default set to blank and blank means 14 days, Also it has a randomization of 5%.

  • Run this to find lastlogon of a user
$(foreach ($DC in ((get-addomaincontroller -filter * | sort name).name) ){ $user = get-aduser UserSamAccountName -properties lastlogon -server $dc | select name,lastlogon ; echo "$DC - $(w32tm /ntte $user.lastlogon)" } )

   How does AD know when to update this attribute?

  • When the user logs on, the DC will pull the current value for lastlogontimestamp.
  • A value is generated for comparison. (14 minus a random percentage of 5 = valueforcomparison) (This generates a threshold of less than 14 days for updating)
  • The previous timestamp is subtracted from the current time.
  • If the time difference between the last timestamp is greater than the comparisonvalue, the attribute is updated ( = It has been too long, it updates, the attribute replicates)
  • If the time difference is still less than the comparison value, then it hasn’t been long enough and the attribute won’t be updated yet.

Reference Links

https://docs.microsoft.com/en-us/archive/blogs/askds/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works

https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx