Monday, July 09, 2007


Because the lastLogon attribute is not replicated in Active Directory, a different value can be stored in the copy of Active Directory on each Domain Controller. The largest value that is retrieved is the true last logon time for that user.

The lastLogon attribute is stored in Active Directory as Integer8 (8 bytes). This means it is a 64-bit number. This value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.


Ok, here is how it works in Windows 2003 for the new last logon attribute.
One of the new attributes in Windows 2003 is lastLogonTimestamp which can be used to retrieve the last logon time for users, good so we have a new attribute to use! Sounds easy, right?

But the lastLogonTimestamp is not always showing the truth since it is only replicated every 14 days...

Simplifying Matters

So instead of writing VBScripts and performing calculation hurdles, why not download Winzero's Computer2User v3.00 or Winzero Domain Monitor solutions at:

and just use these solutions:

Computer2User version 3.0x will report the last domain logon for all users* from any selected DC, or the last local computer logon for all users by server or workstation.

DomainMonitor version 2.0x will report the last domain logon for all users* from all DCs by collection date.

*note "users" in Active Directory will return both users accounts and computer accounts because AD sees both as accounts.


  1. looks nice-

    You can also use our product Password Reminder PRO to obtain this information through a comprehensive and easy to use reporting console, as well as proactively alert your domain users of upcoming password expirations-

  2. I have create clone one of dumpsec report for user list from active directory including lastlogon, lastchangepassword information, etc.

    This vbscript will access active directory attributes faster then dumpsec with specific condition.

    Check it out:

  3. Hi,

    Thanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.

    In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

    The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from

    Why bother writing complicated scripts or using unsupported command-line tools when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

    If you're into Active Directory security, then this tool is a must-have. Thought I'd share this helpful tip with you!



Note: Only a member of this blog may post a comment.