Active Directory: Knowing the TRUE Last Login Date

In the world of Identity and Access Governance (IAG), having an accurate view of the true “Last Login Date” is a piece of vital security information. With this data, one can verify if a former employee potentially logged in after their departure, or monitor the existence of Dormant Accounts (accounts that are still active but haven’t been used for a defined period). This helps serve the purpose of IT compliance and can assist with cost reduction.

Microsoft Active Directory, due to its widespread use, represents a classic scenario for utilizing the last Login Date. In the administrative interface, when inspecting the properties of a user account, one can observe that this information appears under two different attributes: “lastLogon” and “lastLogonTimestamp.”

  • Why does this information appear twice?
  • Which one should be favored for access analysis?


Domain Controller(s)

Systematically, an enterprise’s Active Directory domain is managed by multiple domain controllers to ensure service continuity and better resource management. These domain controllers synchronize information with each other at regular intervals. This is referred to as “domain controller replication”. When a user logs in with their Windows account, they will be authenticated on one of these domain controllers.

Last Login Dates: The date and time of login are then recorded, among other pieces of information. In Active Directory, this data appears in 2 attributes, each with distinct behaviors:

  • lastLogon: The user’s last login on the domain controller. This data isn’t replicated.

  • lastLogonTimestamp: The value replicated across all domain controllers. This value is updated upon user login if the difference from lastLogon is greater than approximately 14 days (“approximately” as it’s specifically “14 days minus a randomly generated percentage of 5 days,” based on default settings in Active Directory).

Which Value to Choose? For access analysis purposes, it’s recommended to work with “lastLogonTimestamp” as it provides a more stable piece of information over time (despite a potential maximum gap of 14 days, by default).

If you absolutely require the exact last login date of a user, you would need to gather all the lastLogon values from different domains and then implement a mechanism to retain the most recent value. Generally, the choice of lastLogonTimestamp is favored for IAG due to the balance between the reliability of information and the speed of availability.