As said above, it's due to users who have never logged in. It's probably useful to look at whenCreated as well as lastlogontimestamp.

Greetings,

  Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use? I'm doing an audit of service accounts and most have 1601 but I think some of them are being used.

Cheers

David Z

The value stored in the lastLogon attribute represents the date and time of the account logon, expressed in 100-nanosecond steps since 12:00 AM, January 1, 1601.

The DS team has a great blog that you should check out

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

"LastLogonTimestamp is updated with the following logon types: Interactive, Network, and Service logons.
However, the attribute isn't updated with EVERY logon. There is another attribute ms-DS-Logon-Time-Sync that controllers how often [in days] the LastLogonTimestamp attribute is update and the attribute is updated and replicated to other DCs.

My Question is - If the logontimestamp is 01/01/1601 then does it mean that the account is definitely not in use? I am referring to service accounts. I see many SQL and Exchange accounts with this timestamp and I cannot believe SQL and Exchange would create these accounts if they are never used for anything.

To put it another way - If you did a search for all accounts and their logon time stamps, would you delete the ones with 01/01/1601 immediately knowing that absolutely no systems or applications could possibly be affected?

• Edited by David Zemdegs 20 hours 56 minutes ago

Hi,

Lastlogontimestamp of account having dates 01/01/1601 is due to they have not logon to any server yet.

This are the logic of using the date by Microsoft.

http://blogs.technet.com/b/heyscriptingguy/archive/2010/01/27/dandelions-vcr-clocks-and-last-logon-times-these-are-a-few-of-our-least-favorite-things.aspx

Hello David,

No you cannot delete those account because those are running as service account or run as batch job. You have to be very much careful for deleting those account.

Thank you. So there is ultimately no way to determine if an account is in use or not?

Hi,

You can run the script to know which date account was created and based on that you need to send the report to respective team who owns the accounts and then decide for deletion or not.

If your query is answer please mark or propose as answer.

No, my questions has not been answered.

Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use?

• Edited by David Zemdegs 8 hours 49 minutes ago

Hello,

Example I have service account called Xyz.@testlab.com and this account is service account I am using this account only to start specific exchange service and this account password is never expired set. hence if I run the script to collect the lastlogontimestampi will will received the timestamp as 01/01/1601 which is as per Microsoft logic and algorithm. I will not delete those account because my exchange service required this service account to stop and start the service. If I want to delete such account then I have to be 100% sure that this account is no where using in environment as service or schedule job or run as service account.