LastLogonTimeStamp newer than any lastLogon In a domain

  • 327 Views
  • Last Post 18 August 2015
AndreyK posted this 17 August 2015

Hello experts,
Would any one have any idea why some user accounts in our domains have LastLogonTimeStamp attribute more recent than any of the lastLogon attributes queried on all domain controllers?
As an example, one use has password expired in 2008, and lastLogon attribute on one of the DCs seem to have value around that date. Other DCs have either older dates or the user never used to authenticate on them.  Yet, the LastLogonTimeStamp has a value in July 2015.  
My understanding was that the replicated LastLogonTimeStamp would be within 14 days of the most recent lastLogon value, not YEARS ahead of one.
We have multiple accounts with this abnormality.  To the best of our knowledge, no domain controllers were removed from the domain in the last 4 months.
Forest and domains are on Windows Server 2008 R2 functional level.
Any help  or ideas are appreciated.

show

Order By: Standard | Newest | Votes
kennedyjim posted this 17 August 2015

Couple things come to mind to check.

 

repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

 

Also did someone mess with the frequency of the update cycle?    

msDS-LogonTimeSyncInterval

 

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

 

 

 

 

show

AndreyK posted this 17 August 2015

LastLogonTimeStamp is the same on each DC. And ms-DS-LogonTimeSyncInterval is set to the default 14
Still trying to figure out how it can be years AHEAD of any of the lastLogon attributes.  Was it behind, would not even notice it... But years after the account's password expired and after lastLogon was updated on any of the DCs... does not make sense. 
-------Andrey K. 
On Aug 17, 2015, at 5:20 PM, Kennedy, Jim <kennedyjim@xxxxxxxxxxxxxxxx> wrote:
















Couple things come to mind to check.

 

repadmin /showattr * CN=user1,OU=accounting,DC=domain,dc=com /attrs:lastLogontimeStamp >lastLogontimeStamp.txt

 

Also did someone mess with the frequency of the update cycle?    

msDS-LogonTimeSyncInterval

 

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

 

 

 

 

show

Chris-Dent posted this 17 August 2015

Decommissioned domain controllers?

Perhaps the real lastLogon value is no longer available?

show

pradeeprawat85 posted this 17 August 2015

May be this?
http://blogs.technet.com/b/askpfeplat/archive/2014/04/14/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self.aspx


show

danj posted this 18 August 2015

Good find, that is interesting. I just tested this and it doesn’t update lastLogon, just lastLogonTimeStamp (presumably because S4U is a server 2003 addition,

as is lastLogonTimeStamp, and the code doesn’t bother updating the old attribute).

 

Dan

 

 

show

AndreyK posted this 18 August 2015

This appears to be the case in our environment as well.
You guys are stars.  Pradeep, thank you for the link.
-Andrey K.


show

Close