lastLogon vs. lastLogonTimestamp in Active Directory
Solution 1:
Use the most recent attribute.
Lastlogon is only updated on the domain controller that performs the authentication and is not replicated.
LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
Solution 2:
TL;DR - If you want the most accurate logon time, you must query the lastLogon
attribute from all domain controllers. If a tolerance ±19 days is acceptable, then you can just read lastLogonTimestamp
from the closest domain controller.
lastLogon
This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user's last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogon#remarks
lastLogonTimestamp
Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time -
msDS-LogonTimeSyncInterval
], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-lastlogontimestamp
Notes:
- Both dates are stored as a
FILETIME
(Int64
in .Net/PowerShell) if you retrieve them programatically. - PowerShell also provides a
LastLogonDate
property. I would have preferred to provide Microsoft specific documentation to confirm this, but most sources say and my testing confirms it is thelastLogonTimestamp
converted to a l̲o̲c̲a̲l̲DateTime
value.