I have an Active Directory query for you folks
Been working at a company as a sys admin for a while now. We have 6 DMCs (2 Azure hosted, and then 2 for each of our two sites, one physical and one backup).
We have had an issue in the recent months with administrator privilege abuse, so we have created a separate admin account for every domain user in a new organisational unit. These admin accounts now have local admin access to their workstations, and not their regular domain account so we can better monitor the sign ins of those who are regularly signing in and those who are not.
I created several powershell scripts to collect the lastLogon attribute information from each of the 6 DMCs, as that’s a non-replicated value and unique to each DMC. But, now this is what’s confused me, it doesn’t seem to be an accurate measure of when the admin accounts are actually signed in. For instance when cmd is run as administrator, or when software is installed.
I have run multiple tests with my admin account on this and what’s struck me as bizarre is the badpwrdcount attribute will update on the DMC when I put it in incorrectly running cmd as administrator, but when I sign in correctly, the lastLogon attribute does not increase…across any of the DMCs. This got me thinking, and actually questioning my understanding, of what counts towards a lastLogon. It’s any domain authenticated login, which running cmd as administrator does…it authenticates the admin account of the user. It has to do this otherwise the badpwrdcount attribute wouldn’t increase. It also cannot be a time delay or sync issue as again the badpwrdcount updates instantly.
It seems the only sign ins that I can confirm register to this attribute are when the workstation itself is unlocked, or when the user remotes to another machine.
This has caused us all a lot of head scratching as it has kind of defeated the purpose of creating these second user admin accounts now as we can’t properly monitor the sign ins. It was already a begrudgingly accepted addition, so we don’t want to admit that we’re now having issues with it.
Any help with this would be fantastic.
TL:DR; lastLogon attribute in AD not updating across all DMCs when logging in with a second admin user account to run cmd as admin, yet the badpwrdcount attribute updates if the password is entered incorrectly.
The LastLogOn is set whenever a new logon session is initiated. One reason the LastLogOn is not updated might be that the admin user still has a valid kerberos TGT/TGS on the machine. You can check, e.g. that via issuing the command:
from the command line. Try purging all tickets
and then connect again with an admin account and check whether LastLogOn is updated on the respective domain controller...