LDAP auth not updating LastLogon attribute

  • Last Post 26 June 2017
minwar posted this 26 June 2017

I have noticed that if I authenticate using LDP against a specific DC LastLogon is not updated. I can see the event 4624 event log on that DC and the relevant entries in the netlogon logs so I know it occured and was successful. Anyone know why this is the case? I am assuming its by design?  LastLogonTimestamp not really useful since I want to report on the most recent logon. Thanks

Order By: Standard | Newest | Votes
amulnick posted this 26 June 2017

I've never known Lastlogontimestamp to be overly useful other than as one more data point.  It's always been questionable for me due to replication latency and other ways it's used.    
Best way in my experience is to use a log aggregation tool, such as splunk or elk and sift the data that way if that's an option. 


minwar posted this 26 June 2017

LastLogonTimestamp does a job if you want to identify stale objects.  But here I need to report on when userA last authenticated.  I can use Splunk or Netlogon logs from an Admin perspective.  But if an application wants to query AD there is no means of it easily finding out that out.  I had thought that querying all the various lastlogon values for most recent would do the trick.  But seems not.