Sccm last logon user name not updating Chat rooms for clean socialising
So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc…
the last Logontime Stamp attribute will updated if the right condition is met.
See this blog post by Eric Fitzgerald for more info.
(I think he knows something about auditing) IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database.
Microsoft’s solution for security event log collection is Audit Collection Services. How it worked in Windows 2000 Prior to Windows Server 2003 administrators had to query the last Logon attribute to determine the most recent logon of user or computer account.
It is updated only on the validating DC and is not replicated.
How it works in Windows Server 2003 and later In contrast the last Logontime Stamp attribute is replicated so all DC’s have the same value for the attribute (after replication convergence).
In Windows Server 2003 we introduced the last Logontime Stamp attribute.
Administrators can use the last Logontime Stamp attribute to determine if a user or computer account has recently logged onto the domain.
It is an attribute of the domain NC and controls the granularity (in days) with which the last Logontime Stamp attribute is updated. Meaning that if you look at this attribute in ADSIEDIT. This just means the system is using the default value of 14.