“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

  • Comments 31
  • Likes

Warren here. In Windows Server 2003 we introduced the lastLogontimeStamp attribute. Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action.

Intended Use

It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date.

If you are looking for more “real-time” logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008 . See this blog post by Eric Fitzgerald for more info. (I think he knows something about auditing)

IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services. There are many 3rd party solutions as well.

How it worked in Windows 2000

Prior to Windows Server 2003 administrators had to query the lastLogon attribute to determine the most recent logon of user or computer account. This process was time consuming as the lastLogon attribute is updated only on the DC that validates the logon request. The lastLogon attribute is not replicated. So in the past to determine the most recent logon of a user or computer account the lastLogon attribute had to be queried on all domain controllers (at least in concept) and then the most recent date for lastLogon had to be determined from all the results returned. In Windows 2003 and higher lastLogon is still has the same behavior. It is updated only on the validating DC and is not replicated.

How it works in Windows Server 2003 and later

In contrast the lastLogontimeStamp attribute is replicated so all DC's have the same value for the attribute (after replication convergence). Therefore you can query a single DC to find all the users or all the computers that have not logged in within a certain time.

Requirements

Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the llastLogontimeStamp to occur.

Logon types and that will trigger an update to the lastLogontimeStamp attribute.

The lastLogontimeStamp attribute is not updated with all logon types or at every logon. The good news is that the logon types that admins usually care about will update the attribute and often enough to accomplish its task of identifying inactive accounts.

Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met. (The conditions are discussed below in the section Update and Replication of lastLogontimeStamp.

As of Windows 2003 SP1 these logon types will NOT update lastLogontimeStamp

  • Certificate mapping through Microsoft Internet Information Services (IIS).
  • Microsoft .NET Passport mapping through IIS.

[Update June 19, 2009 - removed one item from the list above that is under debate in a repro currently. Will update when we have more word] 

====================================================

Update and Replication of lastLogontimeStamp

First become acquainted with the ms-DS-Logon-Time-Sync-Interval attribute. It is an attribute of the domain NC and controls the granularity (in days) with which the lastLogontimeStamp attribute is updated. The default value is 14 and is set in code. Meaning that if you look at this attribute in ADSIEDIT.MSC and you see it as "Not Set" don't be alarmed. This just means the system is using the default value of 14.

The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain. The decision to update the value is based on the current date minus the value of the (ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5). If the result is equal to or greater than lastLogontimeStamp the attribute is updated. There are no special considerations for replication of lastLogontimeStamp. If the attribute is updated it is replicated like any other attribute update. This is not urgent replication

Walkthrough of a lastLogontimeStampUpdate update

1. (Assuming the value of the ms-DS-Logon-Time-Sync-Interval is at the default of 14)

2. User logs on to the domain

3. The lastLogontimeStamp attribute value of the user is retrieved

4. 14 - (Random percentage of 5) = X

5. Current date - value of lastLogontimeStamp = Y

6. X ≤ Y - update lastLognTimeStamp

7. X > Y - do not update lastLogontimeStamp

Why the Randomization?

This randomization is done to prevent an update of the lastLogontimeStamp attribute from many accounts at the same time causing a high replication load on the DC's. Remember the purpose of the lastLogontimeStamp attribute is locate inactive accounts not provide real-time logon information.

Controlling the update frequency of lastLogontimeStamp.

It is possible to change the frequency of updates to the lastLogonTime stamp or turn it off completely if desired. If you need a different time interval you will need to adjust the value of the msDS-LogonTimeSyncInterval attribute to a value between 5-100,000. Yes that’s right: the max value is 100,000 days… Or if you prefer ~280 years... And the max value was set in code not in the schema. (I guess the dev was counting on medical science to solve that pesky aging problem.)

In my experience the default settings can accommodate almost anyone and there is no need to change the update interval. Most customers I have talked to start considering accounts potentially inactive at the 30 day or higher mark of inactivity.

Note: If the msDS-LogonTimeSyncInterval is less than 5 days, the randomization is not put into effect.

How do I turn this thing off?

If you want to disable the lastLogontimeStamp feature set the msDS-LogonTimeSyncInterval attribute to 0.

I personally have never spoken with anyone that really had a business need to change how often lastLogontimeStamp needs to be updated. Once it was explained how the update process works and it was proven that the attribute is current and replicated to all DC’s that was all that was needed. If really think you need a more recent timestamp than 9-14 days for inactive account detection I suggest you make small changes and monitor DC workloads. This is especially true in large environments.

=======================================

Clearing up the confusion - Verifying that LastLogontimeStamp is in sync across all DCs in the domain.

Many times customers will be concerned about what their tools are displaying to them (usually a very old date) as the lastLogontimeStamp of a user compared to what they know to be a more accurate date. This is almost always due to the admin using a tool that queries the lastLogon attribute instead of the lastLogontimeStamp attribute.

For example acctinfo.dll that is included with the Account Lockout tools will display the lastLogon attribute data not the lastLogontimeStamp data. In some cases the date the tool reports may be months or years out of date or display nothing at all. This is because they are querying the lastLogon attribute and the user they are looking up has either never been authenticated by the reference DC (in the case of null) or has not been authenticated by the reference DC in a very long time.

How to tell if lastLogontimeStamp is in sync

To verify if the lastLogonTime stamp is being updated and replicated as expected you can use repadmin.exe with the showattr switch. Some examples are given below. These examples are intended to demonstrate that lastLogontimeStamp is being updated within the window of 9-14 days and replicated to all DC’s in the domain. They are not an example of how to manage stale accounts.

1. Using repadmin to check the value of lastLogontimeStamp on all DC's in a domain for one user:

repadmin /showattr * (DN of the target user) /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

Example:

repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

2. Using repadmin to dump the lastLogontimeStamp for all users in a domain including users that have no data in the lastLogontimeStamp attribute:

repadmin /showattr * /subtree /filter:"(&(objectCategory=Person)(objectClass=user))" /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

3. Dump lastLogonTime stamp for users but only ones that have the attribute populated

repadmin /showattr * dc=domain,dc=com /subtree /filter:"((&(lastLogontimeStamp=*)(objectCategory=Person)(objectClass=user)))" /attrs:lastLogontimeStamp > lastLogontimeStamp-2-22-2009.txt

- Warren ‘For Once not DFSR’ Williams

  • Great information Warren!! I definitely learned some new things here.  

    Thanks

    Mike

  • Outstanding article. The walkthrough was very useful.

    Thanks!

    Francis

  • Nice Detailed article...

    Warren ‘For Once not DFSR’ Williams > Was that a shot at Mr. Ned Pyle?

  • Nice Detailed article...

    Warren ‘For Once not DFSR’ Williams

  • 237 Microsoft Team blogs searched, 109 blogs have new articles in the past 7 days. 245 new articles found

  • Thanks to everyone for the comments. Replying a bit late as I was out of the office.

    Sandeepanand, you will have to talk with Ned about what the "For Once not DFSR" comment means. He ninja edited the document before posting it. It could be  because both Ned and I work a lot on DFSR cases. However with Ned you never know...

  • Well.. in one sentence, all network logons update the timestamp and in another sentence IIS which uses network logon is not updating the timestamp ?

    Can you clarify?

    Also, it would be lot better to know, what kind of logon type is used by different application atleast for Microsoft applications

    Exchange (Outlook, OWA, RPC-o-HTTP), OCS etc.

  • KamleshAP,

    Greetings and thanks for the question. In the blog post I stated that Network and Interactive logons will update the  lastLogonTimeStamp. These are two of the Windows logon types that can be used. The full list is documented here: http://msdn.microsoft.com/en-us/library/aa394189.aspx.

    The 3 IIS tasks listed in the blog post do not log the targeted user on so the user account’s lastLogonTimeStamp would not be updated. In those cases the account used for the identity of the IIS application pool would perform a network logon (if necessary) and trigger an update to the attribute of the account used for the identity of the application pool if one is needed.

    Warren

  • Hello Warren,

    If these logons:

    Certificate mapping through Microsoft Internet Information Services (IIS).

    Username and password authentication through IIS.

    Microsoft .NET Passport mapping through IIS.

    do not update the lastlogontimestamp, what is the best method to detect stale accounts ?

    thanks,

    Prem

  • Thanks to everyone again for the feedback. I am beginning to see the need for some clarification on the bullet points regarding what types of authentications do not update the lastLogonTimeStamp.

    It would be a rare deployment that only used “Certificate mapping through Microsoft Internet Information Services (IIS)” and “Microsoft .NET Passport mapping through IIS” for authentication to a Windows domain.

    So unless you understand what “Certificate mapping through Microsoft Internet Information Services (IIS)” and “Microsoft .NET Passport mapping through IIS” are AND you know for a fact that your AD deployment uses them AND these are the only authentication types EVER used by a user then you do not need to be concerned about them.

    “Username and password authentication through IIS” is too vague so it has been removed from the article.

    I included these to make sure the post was complete as possible as there is always that one scenario… :) But it seems including them has been more of a distraction than has been helpful.

    More information on the two methods can be found here.

    Step-by-Step Guide to Mapping Certificates to User Accounts

    http://technet.microsoft.com/en-us/library/bb742438.aspx

    .NET Passport Authentication

    http://technet.microsoft.com/en-us/library/cc778966.aspx

  • Prem,

    The best way to track stale accounts is to leverage the lastLogonTimeStamp attribute. It would be rare in a scenario that

    a. It is important to track stale accounts

    b. That the enterprise would only use authentication schemes that do not actually log the user account onto the domain.

    So far I personally have never found a customer scenario that the lastLogonTimeStamp was not updated as expected since Windows 2003 SP1 shipped. It’s possible they are out there but they are a very rare exception.

    Warren

  • Nice Article Warren,

      Lots of great info. We have a request to determine the last login info. for users who only use Outlook Web Access. In limited testing in our lab, I don't see these logins reflected in the LastLogonTimeStamp Attribute. Thoughts/Help/Suggestions?

    Tom

  • clisbyt,

    Thanks for the feedback. I would have to do some testing which requires I go and talk to the Exchange guys. While I get that done I suggest the following:

    Make sure your lab domain is at 2003 Domain Functional Level.

    Create a brand new user and configure email attributes. Do not log this user on. Whne done confirm their lastLogonTimeStamp attribute is blank.

    Have them access their mail via OWA.

    Check their lastLogonTimeStamp attribute.

    I'll get back to you after I get the test done here.

    Warren

  • I actually got the test done faster than I thought. I tested Exchange 2003 and Exchange 2007.

    Test details

    2003 Setup

    Exchange 2003 and IIS on one server and 2003 DC

    Single DC domain

    2007 Setup

    Exchange 2007, IIS and DC all on separate servers.

    Single DC domain

    All OS’s were 2003

    Steps

    Raised Domain Functional Level to 2003

    Created new user

    Logged user into OWA

    Result

    In both cases lastLogonTimeStamp was updated.

    Warren

  • If I wanted to filter out all users who had not logged on in the past 60 days, how would I construct the query? Not sure how the timestamp is stored.