I'm working on collecting user logon data for audit and governance purposes. We want to disable accounts after a certain amount of inactivity. Previously we had been using LastLogonDate but I know that date is fuzzy and also can change even when a user doesn't log in (such as when the account has permissions to a file share and those permissions are enumerated by someone else.) Due to that, I decided that I would hit each Domain Controller and grab the LastLogon attribute which I understood would be accurate. An example of which is below.
$LastLogon = (Get-ADuser User1 -Server DomainController1 -Properties lastlogon | select @{Name="lastLogon";Expression={[datetime]::FromFileTime($_.'lastLogon')}}).lastlogon
The problem that I've found is even though I've hit all the DCs, the newest LastLogon date I have for an account is 7/27/19 but if I check the LastLogonDate (get-aduser User1 -properties LastLogonDate) then I get a date of 2/20/20.
I know this is an active account so I want to understand why the LastLogon attribute is incorrect. Since the account in question is a service account used for a network monitoring tool, I'm positing that only certain types of logons change the LastLogon but I don't know for certain and am hoping someone can explain how that date change is triggered.
Thanks in advance!
WB