lastlogontimestamp and 1601

Greetings,

  Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use? I'm doing an audit of service accounts and most have 1601 but I think some of them are being used.

Cheers

David Z

April 24th, 2015 2:43am

Hi,

Lastlogontimestamp of account having dates 01/01/1601 is due to they have not logon to any server yet.

This are the logic of using the date by Microsoft.

http://blogs.technet.com/b/heyscriptingguy/archive/2010/01/27/dandelions-vcr-clocks-and-last-logon-times-these-are-a-few-of-our-least-favorite-things.aspx

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 3:06am

As said above, it's due to users who have never logged in. It's probably useful to look at whenCreated as well as lastlogontimestamp.
April 24th, 2015 4:05am

The value stored in the lastLogon attribute represents the date and time of the account logon, expressed in 100-nanosecond steps since 12:00 AM, January 1, 1601.


The DS team has a great blog that you should check out

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

"LastLogonTimestamp is updated with the following logon types: Interactive, Network, and Service logons.
However, the attribute isn't updated with EVERY logon. There is another attribute ms-DS-Logon-Time-Sync that controllers how often [in days] the LastLogonTimestamp attribute is update and the attribute is updated and replicated to other DCs.

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 6:45am

My Question is - If the logontimestamp is 01/01/1601 then does it mean that the account is definitely not in use? I am referring to service accounts. I see many SQL and Exchange accounts with this timestamp and I cannot believe SQL and Exchange would create these accounts if they are never used for anything.

To put it another way - If you did a search for all accounts and their logon time stamps, would you delete the ones with 01/01/1601 immediately knowing that absolutely no systems or applications could possibly be affected?

April 24th, 2015 6:49am

Hello David,

No you cannot delete those account because those are running as service account or run as batch job. You have to be very much careful for deleting those account.

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 7:09am

Thank you. So there is ultimately no way to determine if an account is in use or not?
April 24th, 2015 7:10am

Hi,

You can run the script to know which date account was created and based on that you need to send the report to respective team who owns the accounts and then decide for deletion or not.

If your query is answer please mark or propose as answer.

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 8:46am

My Question is - If the logontimestamp is 01/01/1601 then does it mean that the account is definitely not in use? I am referring to service accounts. I see many SQL and Exchange accounts with this timestamp and I cannot believe SQL and Exchange would create these accounts if they are never used for anything.

To put it another way - If you did a search for all accounts and their logon time stamps, would you delete the ones with 01/01/1601 immediately knowing that absolutely no systems or applications could possibly be affected?

April 24th, 2015 10:44am

No, my questions has not been answered.

Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use?


Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 6:58pm

No, my questions has not been answered.

Is it possible to have a lastlogontimestamp of 01/01/1601 with an account still in use?


April 24th, 2015 10:53pm

Hello,

Example I have service account called Xyz.@testlab.com and this account is service account I am using this account only to start specific exchange service and this account password is never expired set. hence if I run the script to collect the lastlogontimestampi will will received the timestamp as 01/01/1601 which is as per Microsoft logic and algorithm. I will not delete those account because my exchange service required this service account to stop and start the service. If I want to delete such account then I have to be 100% sure that this account is no where using in environment as service or schedule job or run as service account.

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2015 1:55am

So the answer is yes.

What arises from this is the next question. Is there any way to determine if an account is not in use (without asking people)?

Also, what is the purpose of an account. I thought it was authentication. If you are authenticated then wouldnt you update the lastlogontimestamp?

April 25th, 2015 4:39am

Hi,

without interacting with users or respective owner it is not possible to identify those account in Active directory. I am saying this from my past and current experience. What you can do is using script pull out report and send to respective team owner to identify those accounts. If that is not possible then another way of doing is you disable account which are not in use more then 90 days and keep for say 10 days as disable if you not received any complaint or any service effect by that you can delete those on 11 day.

 

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2015 5:31am

You can convet lastlogontimestamp attribute value using Excel also, please check below link

http://www.windowstricks.in/2011/02/lastlogon-and-lastlogontimestamp.html

And lastlogontimestamp attribute value is not authentic, because the value is updated every 14 days (updated on whenever account logon and replicated the update every 14 days), so you wont get most recent logon data, if the lastlogontimestamp attribute value more then 15 days then we can trust value

Regards

Ganesh

www.windowstricks.in

April 25th, 2015 10:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics