Active Directory : how to know the TRUE last connection date

lastLogon vs lastLogonTimestamp

Level of knowledge required: beginner

In the world of IAG (Identity and Access Governance), the last connection date is an interesting value. With this information, we can check if an ex-employee has logged on after their departure, or, more generally, check the existence of dormant accounts (e.g. active but unused for a defined period), for the purpose of IT compliance or cost reduction.

By its wide distribution, Active Directory represents a classic use case of this last connexion date. In the administration interface, when detailing the properties of a user account, we can notice that this information appears under 2 different attributes: “lastLogon” and “lastLogonTimestamp

Why does this information appear twice?

Which one should be chosen for access analysis?

Domain controller(s)

Almost systematically, and even more so in large companies, the Active Directory domain is managed by several domain controllers, to ensure continuity of service and better resource management. These domain controllers synchronize information between themselves on a regular basis. This is called domain controller replication.

When a user logs in with his Windows account, they will be authenticated on either of these domain controllers.

Last connection dates

The connection date and time are then recorded, among other information. In Active Directory, this data appears in 2 attributes, with very different functioning:

  • lastLogon: user last connection on to the domain controller. This data is not replicated
  • lastLogonTimestamp: replicated value on all domain controllers. This value is updated, when the user logs in and if the difference with the lastLogon is greater than approximately 14 days (“approximately” because it is more exactly “14 days minus a random percentage of 5 days”, according to the default settings in Active Directory)

Which value to choose?

As part of an access analysis, it is recommended to process the lastLogonTimestamp, which contains information that is much more stable over time (despite a potential difference of 14 days maximum, by default).

If we want to rigorously obtain the last login date of the user, we will then have to retrieve all the lastLogon value of the different domains, then set up a mechanism to keep the most recent value.

In most of cases, the lastLogonTimestamp is preferred for IAG, because of the ratio “reliability of information/speed of consideration”.

Did you like this post ?

Share on twitter
Share on linkedin