JSI Tip 7801. Using the lastLogonTimestamp attribute in Windows Server 2003.

The lastLogonTimestamp attribute is replicated across all the domain controllers in a Windows Server 2003 domain functionality level domain. It is updated for Kerberos and NTLM interactive logons.

Windows Server 2003 does NOT update the lastLogonTimestamp attribute when you perform:

Certificate mapping through Microsoft Internet Information Services (IIS).

Username and password authentication through IIS.

Microsoft .NET Passport mapping through IIS.

All Service-for-User (S4U) authentication paths.

NOTE: The DSQUERY USER DOMAINROOT -inactive weeks command uses the lastLogonTimestamp attribute.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.