Microsoft KB Archive/828266

= The lastLogonTimestamp attribute in Windows Server 2003 =

PSS ID Number: 828266

Article Last Modified on 2/25/2004

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Web Edition

-





INTRODUCTION
In Microsoft Windows Server 2003, you can use the lastLogonTimestamp attribute in Microsoft Active Directory directory service to determine the most recent domain logon for a user or for a computer. But in some cases, Windows Server 2003 does not update the lastLogonTimestamp attribute.



The lastLogonTimestamp attribute in Windows Server 2003
You can use the lastLogonTimestamp attribute to help identify unused computer and user accounts. The lastLogonTimestamp attribute is replicated across all the domain controllers for each domain. Therefore, you can use a single query to find all the users or all the computers that have not logged in within a certain time. To use this functionality, your Windows Server 2003 domain must be at the Windows Server 2003 domain functionality level.

You cannot use the lastLogonTimestamp attribute in all cases. In Windows Server 2003, the lastLogonTimestamp is not updated in all cases. Currently, only Kerberos and NTLM interactive logons update the lastLogonTimestamp attribute. Microsoft recommends that you only use this attribute when you are sure that all the domain users regularly use Kerberos authentication.

Windows Server 2003 does not update the lastLogonTimestamp attribute in the following cases:
 * Certificate mapping through Microsoft Internet Information Services (IIS).
 * Username and password authentication through IIS.
 * Microsoft .NET Passport mapping through IIS.
 * All Service-for-User (S4U) authentication paths.

Certificate mapping through IIS
If you use certificate mapping on your IIS Web server, every time that you log on with a client certificate through IIS, the Web server automatically associates your client certificate to your Windows user account. Therefore, you can automatically authenticate without the use of either Basic, Digest, or Windows Integrated authentication. When you use certificate mapping through IIS to log on, Windows Server 2003 does not update the lastLogonTimestamp attribute.

Username and password authentication through IIS
When you log on with a username and password to an IIS Web site that uses Basic, Digest or Windows Integrated authentication, Windows Server 2003 does not update the lastLogonTimestamp attribute.

.NET Passport mapping through IIS
In IIS 6.0, you can use .NET Passport authentication to authenticate users on IIS-based Web services and Web sites. .NET Passport authentication maps authentication requests against .NET Passport accounts. If you use .NET Passport authentication to authenticate to a Web site, Windows Server 2003 does not update the lastLogonTimestamp attribute.

S4U authentication paths
S4U extensions are extensions to Kerberos that permit developers to use group-based authorization to program against the Windows built-in security model. The S4U solution permits a server to run Kerberos authentication to obtain a logon for the client without providing the client's credentials. In this case, the client is not really authenticated. Instead, the group security identifiers (SIDs) for the client are collected. When you use S4U authentication paths, Windows Server 2003 does not update the lastLogonTimestamp attribute. For additional information about S4U authentication, visit the following Microsoft Web site:

http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

Keywords: kbwinservds kbActiveDirectory kbinfo KB828266

Technology: kbWinServ2003Data kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinServ2003Web

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.