Making sense out of ‘LastLogon’ user attribute in Active Directory

by Shijaz Abdulla on 24.06.2007 at 10:19

So you opened ADSIEDIT and checked the LastLogon attribute for a user, expecting a decently formatted date and time – and instead – found something like this: 128271382742968750.

This is the Windows NT time format. Before you jump out of your chair, lets find out what this actually is. Believe it or not, the lastLogon attribute is stored as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601! (Umm.. no, I don’t know why!)

So how do we convert the LastLogon value to human-years? You don’t need to pull your hair out, you can use this command:

w32tm /ntte [time in NT format]
For instance, if we want to convert 128271382742968750:

To add a twist in the tale, notice that the date/time in NT Time Format is stored in GMT time. Since I am in the GMT +3:00 timezone, w32tm first listed the original value and added +3:00 to it to give me the output in my local time.

Another twist: Active Directory does NOT replicate the LastLogon attribute across domain controllers. So in order to get an accurate value, you need to obtain the LastLogon value for the same user from all your domain controllers and accept the value that is highest. 🙂