NNS ADix - How to...Determine the last time a user logged on to the domain

	NNS ADix - How to...Determine the Last Time a User Logged On to the Domain

This topic describes how to determine the last logon time of a user account.

There are two attributes in Active Directory and one NNS ADix auxiliary attribute which can be used to determine
the last time a user logged on to the domain:

lastLogon
lastLogonTimestamp (available since Windows 2003)
lastDomainLogon (NNS ADix auxiliary attribute)

Both the 'lastLogon' and the 'lastLogonTimestamp' attribute are using the large Integer (64-bit Integer) syntax
to store the logon times. This means that the data is not stored as date/time, it is stored as a large integer.
This is because the time will be derived using the date 1601-01-01 00:00:00 as starting point and using
100-nanosecond intervals since that date to represent the last logon time of the user.

Note:
To convert the large integer representation to a date/time format use the NNS ADix Large Integer to Date
String Conversion option. See the help topic Export Settings > Attribute Syntax Conversion Tab for more information.

Attribute 'lastLogon':

This attribute contains the last logon time on a specific domain controller. The attribute is not replicated
throughout the domain! So if you want to determine the last time a user logged on to the domain, you have to
query every domain controller in your domain for this attribute.

Attribute 'lastLogonTimestamp':

This attribute is available since Windows 2003. The lastLogonTimestamp-attribute keeps track of the last time a
user logged on to the domain and it is replicated from one domain controller to another.
To minimize replication traffic, the 'lastLogonTimestamp' is replicated only once every 14 days. This means that
the 'lastLogonTimestamp' for any given user could be off by as much as 14 days.

Attribute 'lastDomainLogon':

Actually 'lastDomainLogon' is not an Active Directory attribute. This attribute will be used by NNS ADix to determine
the last time a user logged on to the domain. If you use this attribute in an export operation, NNS ADix will query
every available DC for the attribute 'lastLogon'. The most recent value will be exported using the
'lastDomainLogon' attribute. Further the DC with the most recent logon will be logged in the export log file.
If a user never logged on to the domain, the date 1601-01-01 00:00:00 will be exported.

Note:
You can set a list of DCs which should be excluded when querying for the 'lastLogonDomain'.
See the help topic Export Settings > Advanced Tab for more information.

Note:
    The attribute 'lastLogonDomain' must be converted from large integer representation to a date/time
    format. Use the NNS ADix Large Integer to Date String Conversion option and add this attribute to the list.
    If this attribute is not added for conversion, the date 1601-01-01 00:00:00 will be exported for every object.
    See the help topic Export Settings > Attribute Syntax Conversion Tab for more information.

Note:
   As the attribute 'lastLogonDomain' is not an Active Directory attribute, you cannot view its value using
    the object property dialogs. You can add this attribute to an attribute file for more convenience when
    selecting attributes for export.

Note:
The attribute 'lastLogonDomain' is only valid for objects of type user, computer and INetOrgPerson. If the
attribute is used for objects of other types, an error will be logged.