I want to find out what specifically updates the lastlogontimestamp for computers. I have read the other articles that are referenced numerous times, but they do not have the exact answer to these questions (there are wonderful and have lots of information, but not the information I need). Which of these scenarios does the lastlogontimestamp get updated for a computer (given the 14 days minus a random percentage of 5 days has passed and that number is greater than the current lastlogontimestamp):

When a domain computer is restarted and stays connected to the network does this update the lastlogontimestamp?

From my testing I can confirm that the reboot update the lastlogon, but no idea about lastlogontimestamp

When a domain computer is logged onto with a domain account by logging on locally?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

When a domain computer is logged onto with a domain account by logging on remotely using Windows Remote Desktop Connection?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

When a domain computer is logged onto with a local account by logging on locally?

From my testing this did not update the lastlogon and I have no idea about lastlogontimestamp

Are there SPECIFIC events that would cause the lastlogontimestamp to be updated? I need to tell our administrators this information so they have an understanding on what Microsoft considers a stale account

HI,

 can you please post me error that you get..like information event id for the same ?

Also you can see this discussion.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/7c8fffea-9b13-436f-98c6-ffa350fe341e/#b1942366-6105-406e-ab19-e52aa5c38174

Regards
Biswajit Biswas
My Blogs|TechnetWiki Ninja

Hi,

In addition to others, please check this blog:

The LastLogonTimeStamp Attribute What it was designed for and how it works

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Regards.

If you have any feedback on our support, please click here

So what do you mean by authenticate to Active Directory? Are referring to requesting/renewing Kerberos tickets?

Here is info I was able to get based on the info you provided me:

The
LastLogon attribute determines the most recent logon of user or computer account, this attribute is unique on each domain controller, it is updated only on the DC that validates the logon request and is not replicated to other domain controllers. The LastLogonTimeStamp attribute is replicated so all DCs have the same value for the attribute. The lastLogonTimeStamp attribute is not updated with all logon types or at every logon, only interactive, network and service logon updates the attribute. The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain, when to update the LastLogonTimeStamp depends on the ms-DS-Logon-Time-Sync-Interval attribute which is an attribute of the domain partition, the default value is 14 days.

The LastLogonTimeStamp is based on the value that the current date minus the value of the ms-DS-Logon-Time-Sync-Interval attribute minus a random percentage of 5. If the result is equal to or greater than LastLogonTimeStamp the attribute is updated. For example, the value of the ms-DS-Logon-Time-Sync-Interval is 14 days, currently the user logon to the domain, X equals to (14 (Random percentage of 5)) and Y equals to (Current data value of LastLogonTimeStamp), this attribute is updated if X equals to or is smaller than Y, otherwise the attribute is not updated. Therefore, its expected that the LastLogonTimeStamp will be 9-14 days behind the date the user logins.

Interactive logon contains remote desktop logon and console logon, users need to press CTRL+ALT+DEL to type their credential and the credential is sent to domain controller for authentication.

Network Logon usually means logon from network, for example, a user logins to one workstation and accesses a shared folder on file server, the file server will treat the folder access process as network logon, there is a Security event log 4624 in file server and logon type is 3(network logon).

Yes, each domain computer changes machine account password every 30 days(default value), this can be changed via group policy, pwdlastset attribute on computer account is updated after machine account password changes, it's not related to attribute Lastlogontimestamp at all.

Regards,

Diana

Once the computer authenticate to AD, that includes when the computer boots/starts as it auth with AD, and when the current kerberos ticket expire 10h (http://msdn.microsoft.com/en-us/library/ff649429.aspx) and when the password for the secure channel i

When machine account password changes, PwdLastSet attribute is modified and its value equals to the time that password is changed. Whether or not the lastlogontimestamp attribute is updated is nothing with Pwdlastset attribute.

Regards,

Diana

When machine account password changes, PwdLastSet attribute is modified and its value equals to the time that password is changed. Whether or not the lastlogontimestamp attribute is updated is nothing with Pwdlastset attribute.

Regards,

No, changing password does not update the LastLogonTimeStamp attribute, it is changed based on (given 14 - 5 rule) at any time. LastLogon attribute is changed each time the machine authenticates to AD.

Regards,

Diana

Machine authentication takes place when password changes, but the LastLogonTimeStamp attribute is not updated every time machine password changes.

Regards,

Diana