Hi - I had found a PowerShell script that pulls the Last Logon attribute for all user objects against all domain controllers. It then compares and finds the newest logon and generates a csv. Is there a way to get Auditor to do something similar and email the output? The LastLogonTimeStamp is not accurate enough for our stale user reporting. I am not savvy with SQL, but I am guessing something can be done there.
The goal is to generate a more accurate stale account report. The LastLogonTimeStamp is nowhere near accurate to what we need to ensure we are seeing truly inactive accounts.
Just would like to mention that the script should do a little more. The LastLogon per DC may result in not having any logon date, because it is not replicated and objects may have logged onto a DC that is no longer available. Therefore should take the newest date from LastLogonTimestamp as well if it is newer. But there are cases when these dates are increased without a real logon as described here: How LastLogonTimeStamp is Updated with Kerberos S4u2Self | Microsoft Community Hub
I would recomend to check logon eventlogs (4624 Success/4625 Failure) and focus on logontypes that are interesting for you.
I’d also echo Andreas’ excellent point about S4U2Self potentially updating lastLogonTimeStamp without a real user logon. The good news is that those events can be collected and correlated directly with NAA for AD Activity or Netwrix Threat Prevention, giving you clearer visibility into actual logons versus service-driven updates.
With that said, to address your question directly:
lastLogon: Accurate, but not replicated across DCs (must be queried from all DCs and compared).
lastLogonTimeStamp: Replicated across DCs, but only updated if the existing value is older than the sync interval (default ~14 days, configurable via msDS-LogonTimeSyncInterval). This design reduces replication traffic but means the attribute may lag behind the most recent logon.
If you’re seeing gaps, one option is to decrease the sync interval so the replicated timestamps are updated more frequently. This can strike a better balance between replication traffic and reporting accuracy.
Alternative Approach with Netwrix Access Analyzer (NAA)
If you’d prefer to leverage your PowerShell script directly within NAA:
Within NAA, create a new Job.
Inside the Job “Queries,” create a new PowerShell query.
Insert a modified version of your script that updates the SA_ADInventory_Users.LastLogonTimeStamp column. This will allow you to take advantage of built-in reports focused on lastLogonTimeStamp.
Alternatively, you can create your own table and build custom reports.
To learn more, check out the CDSA job (Add Instant Job → CDSA). The PowerShell in that job contains a function called Invoke-SQL, which will help you integrate your PowerShell with the NAA database.
At that point, you can use your favorite AI assistant to help you construct the SQL needed to:
Update the SA_ADInventory_Users.LastLogonTimeStamp column, or
Create your own table (note: all tables should start with SA_ in order to be recognized by NAA reports).
From there, it’s straightforward to schedule e-mail delivery of the stale account reports to the appropriate teams.
I appreciate the input. The PowerShell script I have does reach out to our domain controllers for all accounts and does a compare - then reports on the newest LastLogon date. It’s pretty slick but takes about 15 minutes to run.
You have both given me good info to consider. Thanks for taking the time to share your thoughts.
as described here: