Inactive users and LastLogonTimeStamp
In this blog post, I will be talking about inactive users and LastLogonTimeStamp. This can help administrators determine inactive computers and user accounts in Active Directory.
I believe finding the logon time stamp for users and computers, is one of the most requested information for IT network admins and security admins. Each type of those administrators, has different perspective and use of the information. IT network admins usually want to find inactive computers and clean those from Active Directory, so that it shows the truth always. On the other side, security admins are always looking for inactive users, so that they can disable them. Also, security admins might want to know when a specific computer or user account did access the network.
For finding inactive users and computers in Active Directory, it is acceptable to have not that real-time information about the last logon attempts. But if security admins want real-time information about logon attempts, then this changed things a little bit.
LastLogonTimeStamp new addition
Prior to Windows Server 2003, IT admins had to query the lastlogon attribute on all domain controllers to get accurate data about logon attempts. This attribute does not get replicated between domain controllers, hence the problem.
In Windows 2003 and higher, LastLogonTimeStamp got introduced. The new attribute provides information about logon attempts, and it got replicated between domain controllers. One thing to consider here, is that this attribute has 14 days update frequency, so when you look at this attribute, it might be up to 14 days outdated. You can look at this Microsoft TechNet article that explains in great details how LastLogonTimeStamp is being used and updated.
LastLogonDate is another attribute. It is not a new one, but it is only a representation of the LastLogonTimeStamp in a readable view. In other words, The LastLogonDate property method converts the value of the lastLogonTimeStamp attribute into the corresponding date in the local time zone.
ms-DS-Last-Successful-Interactive-Logon-Time (New in win 2008 FL) is another new in windows 2008 domain controllers, and it shows the most accurate time when the user logon on interactively to a system .It doesn’t show which system the user logged on to, but it will give you an accurate indication when the user last logged on interactively to a system. The reason why you cannot use this attribute while filtering inactive users, is that service account don’t usually log on interactively, and thus they don’t update this value.
What to use and when?
If you are looking for cleaning up your Active directory from orphan inactive users and computers, then you can use the LastLogonTimeStamp. It is replicated between domain controllers, so you can query any domain controller. Also, Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server or runs an LDAP query, the lastLogontimeStamp attribute will updated if the right condition is met. Also, Finding inactive users and computers does not require up to date logon time stamps, so the 14 days default update outdated issue should be fine.
But if you are looking to have a real time information about account logon attempts, then the best way to do so, is by collecting logs from all your domain controllers and querying for logon events.
You can use the Audit Collection Server in operations Manager to collect the logs for you, in a centralized location, and get extensive reporting there.
Another new option is to use Azure Operation Management Suite, a new cloud offering from Microsoft that comes with security insights and log analytics solutions. You can install the OMS agent in all your domain controllers, and then use the OMS dashboard to search for logon attempts.