The ability to determine when a specific user may have last logged on can be helpful for a variety of reasons, such as to maintain security, audit usage, detect stale or inactive accounts and generate security reports.
In MS Windows Server based networks, Active Directory is the repository in which domain user accounts are stored, and specific information about when a user last logged on is also stored along with the domain user account.
The only problem is that (as you may know), Active Directory is a replicated system, but for efficiency reasons not all attributes get replicated to all domain controllers, and unfortunately, the attribute that stores a user's last logon time is NOT a replicated attribute.
Because of this, if we need to determine when a user may have last logged on, we need to query the value of this attribute on all domain controllers in a domain and then figure out the latest one.
In addition, we need to take into account the syntax of the attribute and do some mathematical calculations to convert dates to and from a 64-bit integer value.
All in all, it makes for a complicated and less-than-straightforward method to actually determine when a user may have last logged on. In addition, if we are trying to find this out to many users, we need to be able to repeat the same steps for all user accounts of interest.
In this blog we'll take a look at some ways to accomplish this, so we can easily and correctly determine when a user may have last logged on using their domain user account.
