Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 4, 2014 6:09 PM
I am familiar with and often use lastlogon and lastlogontimestamp. However these values only update when users login to certain websites or onto a domain pc from the windows login.
Some applications and webapps... the user types in their id and password but it does not update these fields, it performs an authentication check but does not trigger a logon.
Without looking at event logs is there any other ways to capture this in AD via powershell?
example sites that dont update the last logon or last logon timestamp fields:
a. citrix login page
b. webmail/owa
All replies (5)
Thursday, November 6, 2014 7:19 AM âś…Answered
Hi Jerger,
Based on my research, the applications and webapps logon information wouldn't show in AD, the lastlogon and lastlogontimestamp properties determine the last time that a user logged on to the system.
The difference between these two properties, please check this article:
lastLogon vs lastLogonTimestamp
If you want to access the webapp or website via authenticating with AD user account, we need to authenticate the AD user via Kerberos.
So please try to trace the Kerberos authentication on DC to get the logon information, we can get kerberos related event log about TGT and Service ticket like event id 4768, 4769 etc. However, the TGT and Service ticket needn't request every time that ADuser logon, they have a expiration time, so I think it's difficult to trace the accurate time.
For more detailed information about Kerberos Authentication Protocol, please refer to this article:
How the Kerberos Version 5 Authentication Protocol Works
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Tuesday, November 4, 2014 6:12 PM
weird when i use "additional account info plugin", it finds my last logon time when using webmail but powershell does not see it checking lastlogon and lastlogontimestamp. the citrix website is acting the same way.
However my hosted citrix application does not update even in the "additional account info" tab that shows "last logon" :(
I checked each DC as well:
$UserCreated= $(Get-QADUser -IncludeAllProperties -Identity $samaccountname).createTimeStamp
$UserLastLogon= $(Get-QADUser -Identity $samaccountname).passwordlastset
$UserLastLogon2= $(Get-QADUser -Identity $samaccountname).LastLogon
$UserLastLogon3= $(Get-ADUser -Identity $samaccountname).lastlogontimestamp
Tuesday, November 4, 2014 6:38 PM
double checking code... found that I was writing the wrong variable to the host but still digging. I'm also connecting to each dc properly now and before it was repeating through the loop but only checking the first dc.
connect-QADService -service $DomainController.Name
$UserCreated= $(Get-QADUser -IncludeAllProperties -Identity $samaccountname ).createTimeStamp
$UserLastLogon= $(Get-QADUser -Identity $samaccountname).passwordlastset
$UserLastLogon2= $(Get-QADUser -Identity $samaccountname).LastLogon
$UserLastLogon3= $(Get-qADUser -Identity $samaccountname).lastlogontimestamp
Tuesday, November 4, 2014 9:01 PM
I fixed my code and it now gets me the proper stamps for various websites so I know its checking each DC instead of just one over and over.
However LDAP authenticated apps are not triggering the stamp to get updated. They do however authenticate which is odd.
Thursday, November 6, 2014 2:15 PM
I knew that was "it" but wasnt sure the how or where to point to quickly. That helps alot if we need to go that route in the future. Thanks for your feedback.
Funny I read that lastlogon vs lastlogontimestamp post almost weekly for the last couple months. Take care.