logon types and LastLogon attribute

  • 605 Views
  • Last Post 25 January 2016
kool posted this 22 January 2016

My Google-foo is failing me. I know that not all logons update the LastLogon attribute, but I haven't found a definitive list as to which do or don't. For example, this article lists all of the logon types which are recorded locally in the event log: https://msdn.microsoft.com/en-us/library/aa394189.aspx, but it doesn't state which of these update the LastLogon value for the corresponding AD account.

I did find a couple of articles that say that network logins (type 3) don't result in an update of LastLogon (e.g. https://support.microsoft.com/en-us/kb/939899). There are lots of articles comparing LastLogon to LastLogonTimestamp (e.g. http://aducadmin.com/ad-attributes-last-logon-timestamp/) but they all seem somewhat incomplete and don't answer my question as to what logon events do update LastLogon.

More Info

I'm trying to determine which of a bunch of service accounts are actually still in use. I'm running this bit of PS code and find that some service (user) accounts have LastLogonTimestamp values but no LastLogon values across all domain controllers. And yes, I know that LastLogon is not replicated.

Write-Host "Finding last logons for user $user"

$dcs = Get-ADDomainController -Filter * | select -expand hostname

$dcs | % {
$curDC = $
get-aduser -Properties lastLogon,lastLogonTimestamp,whenCreated -Server $curDC -Filter "name -eq '$user'" | <br /> Select @{Label='DC';Expression={($curDC.Split('.'))[0]}},
@{Label='WhenCreated';Expression={$
.whenCreated}}, <br /> @{Label='LastLogonTimestamp';Expression={if ($_.lastLogonTimestamp -ne $null) {[datetime]::FromFileTime($_.lastLogonTimestamp)} else {0}}},
@{Label='LastLogon';Expression={if ($.lastLogon -ne $null) {[datetime]::FromFileTime($.lastLogon)} else {0}}}
}

The only explanation I can think of is that some bit of code is making a network call (perhaps LDAP) and supplying credentials. Those credentials are not used anywhere else. This would update LastLogonTimestamp but not LastLogon. Am I missing any other cases?

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
joe posted this 22 January 2016

I too am working on a "find the dead service accounts" project and have similar questions. We've been using a combo of both lastLogon and lastLogonTimestamp but we definitely have some accounts that are still being used that are not showing up in either. It is really hard to figure out how to find a trace of them still being used.
Joe K.


show

bdesmond posted this 22 January 2016

Have you read



http://blogs.technet.com/b/askpfeplat/archive/2014/04/14/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self.aspx and the associated links? That’s the best reference I know.

 

The various audits on all the DCs is really the only good data source I can think of offhand.



 

Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132

 

show

kool posted this 22 January 2016

Thanks Brian, I had forgotten about that S4U2SELF wrinkle. Doing an access check of a service account would trigger an update to its LastLogonTimestamp.

 

In some future ideal life I’d have a database of all DC audit log logon events indexed by user that I could search. There would be a ton of useful info about

who’s doing what in such a database.

 

TGIF, and if you’re on the East Coast, hunker down!

 

    Eric

 

show

barkills posted this 22 January 2016

I had a vague recollection that Joe Richards did a dive on this topic. I thought the details were on his blog, but the most recent stuff I see there on this topic

is:

http://blog.joeware.net/2007/05/01/864/ and

http://blog.joeware.net/2008/07/10/1400/, basically about 7-8 years old.

 

which has some good stuff in it (including a detail featured in the PFE blog noted below ~6 years later), but isn’t as much stuff as I recalled. It’s possible it was a thread

here on the activedir list which he contributed to that I’m recalling. I tried using the search on the activedir.org website to find that, but I’m finding it takes a really long time to get the site to move beyond the 1st page of search results,

which is of course dominated by the thread started today. L

 

So I turned to my email archive of the list (which was hampered by some Exchange Online unavailability during my review of the results). Here are a couple other

gems I found via that:

https://jorgequestforknowledge.wordpress.com/2008/02/10/showing-last-logon-info-at-logon-in-windows-server-2008/

http://support.microsoft.com/default.aspx?scid=kb;EN-US;939899

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

 

So combined with what has already been shared, I think that’s likely the best round-up of info available.



 

Specific to one of the questions asked, the last link explicitly notes that logon over the network does result in an update.

 

Now … I’ll throw a stink bomb into this thread and note that there is no complement in Azure AD to this functionality, and that’s not a great situation. On a

single user basis, there is a solution, but you can’t leverage that at scale. I’d really love to see Microsoft fix that.

 

-B

 

show

kebabfest posted this 25 January 2016

This is a great script which will run through your domain and give you a list of all the service accounts used in your environment (as long as the server is registered  in AD https://gallery.technet.microsoft.com/scriptcenter/Get-ServiceAccountUsage-b2fa966f


show

Close