I'm sitting here across the office from Bob, who is logged into the domain right now, working away. I pull up AD Admin Center and take a look at Bob's account and it tells me his last log on date is 10/25/2010 at noon. It's currently 11/2/2010 at 10 in the morning.
My date on my server is correct, the date on his computer is correct...What's going on?
Has he left his computer logged in since 10/25? Some people just lock their screens at nice for weeks at a time until a Windows update forces reboot.
Have Bob log off and log back on and see if it's updated.
There are two attributes in Active Directory for Last Login tracking
lastLogon
and `lastLogonTimestamp'.The first (
lastLogon
) is a per Domain controller attribute that can take up to two weeks to sync to all other DC's due to low priority sync.When synced it updates 'lastLogonTimestamp' which is the one shared by all DC's. I imagine that the AD Admin Center is looking at lastLogonTimestamp instead of the per DC value, since it would have to query all DC's, get the value, compare to find the latest and present it.
lastLogon is a per-DC property. It is not replicated, and exists in Windows 2000 AD and later. This is the last time that that account (user or computer) has checked into that particular DC
lastLogonTimeStamp is a account property which is replicated between DCs, but can (by default) be up to 14 days off. This property was introduced in Windows Server 2003 AD.
If I'm looking for stale accounts in the enterprise, I query for a lastLogonTimeStamp of 75 days or more ago (when I've achieved consensus that accounts over 60 days unused are "stale").
If I need to know the exact time somebody logged into the domain, you have to query each and every DC for the lastLogon property and use the latest date.
I found a very detailed explanation of this matter here: http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx