I'm trying to find out the origin of most recent "username" login. User's "LastLogonTimestamp" AD attribute equals to "131181645775731489". ADUC console shows it as 9/12/2016 4:36:17 PM Romance Daylight Time.
The funny thing is that if I get LastLogonDate and LastLogon user's attribute on each DC in the domain, I don't see 9/12/2016 anywhere. See the output.
Server LastLogonDate LastLogonTimestamp LastLogon
DC03 02/18/16 [09/12/16] 02/18/16
DC04 01/01/01 [09/12/16] 01/01/01
DC05 01/01/01 [09/12/16] 01/01/01
DC14 01/01/01 [09/12/16] 01/01/01
There were no DC demotions recently. I have also parsed security logs on all domain controllers from the 09/12/2016 date and found no traces of "Username" logged in. Auditing is enabled and I can see other users login events. "Username" is the service account. Any ideas how can I find where it is used?
UPDATE
All domain controllers are Windows Server 2012 R2. Domain functional level is also Windows Server 2012 R2.
Best Answer
What OS version are you domain controllers, and what is the Domain Function Level of the domain?
An interactive GUI logon should update both logon time fields, but if the service account is only making LDAP queries, those will update
lastLogonTimestamp
but notlastLogon
. See https://support.microsoft.com/en-us/kb/939899Article says this can be corrected by raising DFL to 2003 mode.