LastLogonDate not reporting correct information

I have this code that works.  

$machine = (Get-ADComputer -Filter * -SearchBase "ou=acme_workstations,dc=acme,dc=org").Name

$objs = foreach ($pc in $machine) 

{Get-ADComputer $pc -Properties LastLogonDate | select name, LastLogonDate} $objs | Export-Csv -NoTypeInformation -Path "C:\temp\LastReboot.csv"

 

I read this about LastLogonDate:  Powershell was nice enough to give us a third option to query by.  LastLogonDate is a converted version of LastLogontimestamp.  He was technically right.  It’s not a replicated attribute.  Instead, it’s a locally calculated value of the replicated value.  Most importantly, it gives us the ability to query using human friendly date formats!!  (taken from this web page:  social.technet.microsoft.com/.../22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx)

 

So I looked at my LastReboot.csv file.  I looked at machines that had a LastLogonDate of today, 5/6/2015.   Now, we have  GPO that runs a PowerShell script and this script will write to the registry.   I spot checked many of the machines that have a LastLogonDate of today and half did have the registry keys created by the PowerShell script but half did not.   So on the machines that did not have the registry keys I wrote ran this script against each.

 

$pc = Read-Host "Enter the machine name"

Get-WmiObject win32_operatingsystem -ComputerName $pc | select csname, @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}

 

The lastbootuptime is not today on all of the machines I checked.  why?   How come LastLogonDate is not accurate?  Or should I be using a different AD attribute?   

  • So, Last Boot Time, lastLogon, LastLogonDate and LastLogontimestamp are all very different animals.

    1. Last boot time was just the last time a PC was rebooted.  That isn't an accurate way to measure when someone last logged in.  
    2. LastLogonTimeStamp is a field that is replicated, but is only updated when the LAST time it was updated is over 2 weeks ago.  So if you log in 2 days later it WILL NOT update.  This field was meant to be used to locate stale accounts.
    3. lastLogon is the only accurate field in Active Directory for when a user logs in.  The problem is it is not replicated and is only stored on the DC that the user registered with.
    4. LastLogonDate is a calculated field from lastLogon, it is replicated BUT, depending on the size of your AD can take up to 11 days before you have full convergence (all the DC's have the same data).  Smaller environments will replicate much quicker and this field is often useful.

  • In AD there are two logon time attributes lastlogon and lastlogontimestamp.  LastLogonDate is a powershell created, friendly version of lastlogontimestamp.

    Lastlogon is a non-replicated value that is updated on the DC that authenticates and that DC only.

    lastlogontimestamp (LastLogonDate) is a replicated value, but it only gets updated if the current value is older than a number of days randomly determined between 9 and 14 days.  This is so you can determine who hasn't logged on for a while, but still not congest the network and DCs with replication traffic.

    If you want to determine the exact last logon date, you must query every individual DC for the lastLogon property and compare them for the most recent.

    If you want to determine who couldn't have logged on within a certain number of days, then you can use lastlogontimestamp. 

  • There are other kinds of authentications that will trigger an update of those properties too.  So the computer doesn't have to reboot for it to be updated.  If you needed the boot time you can try to query each computer.  LastBootupTime in the Win32_OperatingSystem class contains the boot time information.

  • Thanks guys all this info helps.

  • a little more on this.  LastLogonTimeStamp.   when I run this command I see LastLogonTimeStamp.     get-adcomputer 'MyMachine' -Properties * | Select *  but as you said the information does not match what I extract from my own local WMI.  I rebooted my workstation yesterday afternoon at 1:30pm yet AD does not reflect that.   

    so it sounds like there is no 100% sure fire way of finding exactly when machines rebooted from AD.  You have to extract from the local WMI?

     

  • jkjk12 said:
    I rebooted my workstation yesterday afternoon at 1:30pm yet AD does not reflect that.   

    Just curious.  Did you check all your DCs?  I don't believe this is a replicated attribute.  As such it would only be current on the authenticating DC.

  • Mr. McCoy I must not have checked all DC's.  Now that said we only have 3 DC's in our whole environment and I have forced a replication via AD sites and services.  But I guess this data did not replicate.   I have discovered the Get-ADDomain command.  PDCEmulator equals the same thing I see when I open up a CMD and type in SET L  

    I guess my question remains.  Can you find from AD the true time machines rebooted?   Or do you have to query WMI?

    our issue is this:  We have a scheduled task that runs M-W-F.  this Task will check your system to see if you have rebooted in the past 7 days (a query of wmi)   It runs when the user is logged on since it throws up a dialog.   Now, either 90% of our company is logging off or this is not running as expected since only 57 machines have rebooted in the past 3 days.  I know this since the .ps1 script the task calls I edited to add some logging.  it now writes to a share for each machine that reboots.