<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
In Windows Server 2003 [Microsoft Active Directory] introduced the [{$pagename}] attribute with an [OID] of [1.2.840.113556.1.4.1696]. 

Administrators can use the [{$pagename}] attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action.

!! Intended Use[1]
It is important to note that the intended purpose of the [{$pagename}] attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the [{$pagename}] will be 9-14 days behind the current date.

If you are looking for more &quot;real-time&quot; logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008 . See this blog post by Eric Fitzgerald for more info. (I think he knows something about auditing)

IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services. There are many 3rd party solutions as well. 

!! How it worked before Windows 2003
Prior to Windows Server 2003 administrators had to query the [lastLogon] attribute to determine the most recent logon of user or computer account. This process was time consuming as the [lastLogon] attribute is updated only on the DC that validates the logon request. The [lastLogon] attribute is not replicated. So in the past to determine the most recent logon of a user or computer account the [lastLogon] attribute had to be queried on all domain controllers (at least in concept) and then the most recent date for [lastLogon] had to be determined from all the results returned. In Windows 2003 and higher [lastLogon] still has the same behavior. It is updated only on the validating DC and is never replicated.

!! Attribute Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [ 1.2.840.113556.1.4.1696] 
* NAME: [{$pagename}]
* DESC: The last time the user logged on
* SYNTAX: [1.2.840.113556.1.4.906]
* [SINGLE-VALUE]
* [NO-USER-MODIFICATION]
* USAGE [DirectoryOperation] 



!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }] 
----
* [#1] - [The LastLogonTimeStamp Attribute, What it was designed for and how it works|http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx|target='_blank'] - based on 2013-09-25
* [#2] [Last-Logon-Timestamp attribute|http://msdn.microsoft.com/en-us/library/windows/desktop/ms676824(v=vs.85).aspx|target='_blank'] - based on 2013-09-25
</pre>