Hello,
I'm trying to find out - precisely - when a user authenticated.
I know "lastlogondate" | lastlogontimestamp is replicated but can be up to 14 days out of date; hence I need to query "lastlogon" on every domain controller.
I can and have done this; so far, so good.
Some users have the "lastlogondate" attribute, but "lastlogon" attribute is not set, or is 0.
How can this be?
If the user account is old, and it was authenticated [only] by a domain controller that has since been retired, then only that domain controller would have had that "lastlogon" attribute populated; all other domain controllers would only have lastlogondate.
I can accept this.
HOWEVER, I am seeing the "lastlogon" attribute unset, or "0", but the "lastlogondate" is recent (within a few days), but domain controllers have not been withdrawn in that period.
I can't explain this. Any ideas? I'm talking about a significant number - hundreds of users.
Thanks in advance.
Kind regards,
Anwar