In Windows Server 2003 Microsoft Active Directory introduced the LastLogonTimeStamp attribute with an OID of 1.2.840.113556.1.4.1696.

Administrators can use the LastLogonTimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action.

Intended Use[1]#

It is important to note that the intended purpose of the LastLogonTimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the LastLogonTimeStamp will be 9-14 days behind the current date.

If you are looking for more "real-time" logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008 . See this blog post by Eric Fitzgerald for more info. (I think he knows something about auditing)

IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services. There are many 3rd party solutions as well.

How it worked before Windows 2003#

Prior to Windows Server 2003 administrators had to query the lastLogon attribute to determine the most recent logon of user or computer account. This process was time consuming as the lastLogon attribute is updated only on the DC that validates the logon request. The lastLogon attribute is not replicated. So in the past to determine the most recent logon of a user or computer account the lastLogon attribute had to be queried on all domain controllers (at least in concept) and then the most recent date for lastLogon had to be determined from all the results returned. In Windows 2003 and higher lastLogon still has the same behavior. It is updated only on the validating DC and is never replicated.

Attribute Definition#

The LastLogonTimeStamp AttributeTypes is defined as:

More Information#

There might be more information for this subject on one of the following: