difference between lastLogon versus pwdLastSet

[Joe Murphy]

I'm polling AD for stale computer accounts using secdata.exe
(www.joeware.net) and several systems have a lastLogon date that precedes
pwdLastSet sometimes by several weeks/months.

How can the last time they account's password was reset be later than the
last logon? Don't you need to logon to reset the password? Am I reading this
wrong?

lastLogon
04/23/2004-15:00:25

pwdLastSet
06/04/2004-08:17:16

Thanks,
JM

 

[Guest]

Do you have more than one DC in your domain?

LastLogon is not a replicated attribute, hence the value you're looking at may not be the time the user last logged on.

 

[Joe Murphy]

Yes I do.

I was running secdata off of the main domain controller at our site.

Do you have more than one DC in your domain?

LastLogon is not a replicated attribute, hence the value you're looking at

may not be the time the user last logged on.

 

[Jerold Schulman]

I'm polling AD for stale computer accounts using secdata.exe
(www.joeware.net) and several systems have a lastLogon date that precedes
pwdLastSet sometimes by several weeks/months.

How can the last time they account's password was reset be later than the
last logon? Don't you need to logon to reset the password? Am I reading this
wrong?

lastLogon
04/23/2004-15:00:25

pwdLastSet
06/04/2004-08:17:16

Thanks,
JM

Check LastLogonTimeStanp instead. It is replicated.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Joe Richards [MVP]]

lastLogon isn't a replicationed attribute.

lastLogonTimeStamp in 2K3 is, however it is still out by about 10 days unless
you update how frequently it updates AD. Not generally recommended.

pwdLastSet is replicated and up to date within the tolerance of your replication
topology, it is why oldcmp (also on the website) uses that value. You might want
to look at it as it produces a pretty nice report in various formats and can
disable/delete user/computer objects pretty handily.

joe