Hello, I saw this question / issue several time but couldnt find the explanation. User needs to change their password every 30 days (no Fine-Grained Password Policy). I have an user object with an pwdLastSet 8/4/2014. The lastLogon attribute is set to 10/30/2014 on one DC and empty on all other DCs (normal behavior).

The lastLogonTimestamp attribute however is set to 7/25/2015 (on all DCs) for that user object.

How is this possible or what can cause an update of the lastLogonTimestamp attribute although the password of the user object is expired ? This circumstance brakes our process to identify inactive users.

Active Directory calculates password expiration by reading the date when a users password was last changed (using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration value. It calculate based on last password reset date & Time and then follow the
below calculation. <o:p></o:p>

password change date + password policy maximum password age = password expiration date

First become acquainted with the ms-DS-Logon-Time-Sync-Interval attribute. It is an attribute of the domain NC and controls the granularity (in days) with which the lastLogontimeStamp attribute is updated. The default value is 14 and is set in code. Meaning that if you look at this attribute in ADSIEDIT.MSC and you see it as "Not Set" don't be alarmed. This just means the system is using the default value of 14.

The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain. The decision to update the value is based on the current date minus the value of the (ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5). If the result is equal to or greater than lastLogontimeStamp the attribute is updated. There are no special considerations for replication of lastLogontimeStamp. If the attribute is updated it is replicated like any other attribute update. This is not urgent replication

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

I am afraid but this does not answer my question. pwdLastSet (8/4/2014) + max password (30) = 9/4/2014. LastLogontimeStamp for the user is 7/25/2015 !.

Hi,

Can you provide the out of following command.

Get-Aduser -Filter * -Properties *|select name,SamAccountName,LastLogonDate,Enabled,AccountExpirationDate|export-csv C:\output.csv

Check the details against user for which you are not getting can you produce the output of that user here.  

Please find below (I skipped name and SAMAccountName in the output)

LastLogonDate        Enabled AccountExpirationDate
-------------        ------- ---------------------
7/25/2015 1:26:01 PM    True  

Another guess was that userAccountControl is set to 66048 (Password never expires) for that user object but its 512 as it should. The LastOriginatingChangeTime for the users UserAccountControl attribute is 12/04/2013.

-------------        ------- ---------------------

7/25/2015 1:26:01 PM True

Hi,

Can you check attribute USERACCOUNTControl is set to passwd_notreqd is set for this account.

http://blogs.technet.com/b/pfesweplat/archive/2012/12/11/do-you-allow-blank-passwords-in-your-environment.aspx

The output of Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" results only in NETBIOSNAME$ of the trusted domains.

 

 Ill open a case at MS. Thanks for looking into it.

Hi msch01,

How about this issue now, could you share the solution, please let us know if there is any progress.

Best Regards,

Hello Any updates it will be good if you can share the resolution

I dont have the solution / explanation yet. The support case has has been deferred. Ill let you know when its done.