Q: How can I find out a user's last logon time in a Windows domain? Where exactly is a user's last logon time stored in Active Directory (AD)?
A: AD stores a user's last logon time in the Last-Logon AD user object attribute. Like the logging of account logon events, the last logon time is updated only in the AD instance of the domain controller (DC) that actually authenticated the user. That's why you must query all DCs in a user's definition domain to find out a user's last logon time. You can find a sample Windows PowerShell script to do this in TechNet's Determining a User's Last Logon Time web page.
To look at the Last-Logon attribute on a single DC, you can use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. You need to enable the Advanced Features option from the View menu to show the Attribute Editor tab in the account properties. On this tab, you can scroll to the lastLogon attribute, as Figure 1 shows. (Note that lastLogon is the display name for the Last-Logon attribute.)
Starting with Windows Server 2003, Microsoft included a new AD user object attribute named Last-Logon-TimeStamp that resolves the Last-Logon problem just mentioned to a certain extent. Last-Logon-TimeStamp stores the "approximate" value of the last logon of a user to other DCs. The value is approximate because AD replicates the Last-Logon-TimeStamp attribute only once every 14 days by default to avoid replication overhead. So although Last-Logon-TimeStamp doesn't resolve the Last-Logon problem completely, it at least gives administrators a way to discover inactive or stale accounts that haven't logged on in the last few weeks. The Last-Logon-TimeStamp attribute is activated only when the domain is switched to at least the Server 2003 domain functional level.
The Last-Logon-TimeStamp attribute's replication interval is controlled using the ms-DS-Logon-Time-Sync-Interval attribute. It's an attribute of the domain Active Directory (AD) Naming Context (NC) that controls the granularity (in days) with which the Last-Logon-TimeStamp attribute is updated. The default value is 14 and is set in code. This means that the value doesn't actually show up if you look at this attribute using the MMC ADSI Edit snap-in. The ADSI Edit snap-in will just display "Not Set" in the Value field.
You can view the value of the Last-Logon-TimeStamp attribute for a given user from the Active Directory Users and Computers snap-in. Again, you need to enable the Advanced Features option from the View menu to show the Attribute Editor tab in the account properties. On this tab, you can then scroll to the lastLogonTimeStamp attribute, which Figure 1 also shows. (Note that lastLogonTimeStamp is the display name for the Last-Logon-TimeStamp attribute.)
Alternatively, you can view the value of the Last-Logon-TimeStamp attribute for a given user from the Active Directory Administrative Center. The last logon timestamp shows up by default in the Summary view of the account, as Figure 2 shows.
It also shows up by default in the detailed view of the account, which Figure 3 shows. To get to the detailed view, you need to double-click the account, then click the More Information button.
You can find more information and sample scripts to query the value of the Last-Logon-TimeStamp attribute of a given user in the Hey, Scripting Guy! blog entry "Dandelions, VCR Clocks, and Last Logon Times: These Are a Few of Our Least Favorite Things."