|
| 1 | +--- |
| 2 | +title: Accounts Have the LastLogonTimestamp Value Set to Future |
| 3 | +description: Helps resolve an issue in which user or computer accounts have the lastLogonTimestamp value set to a future time. |
| 4 | +ms.date: 03/11/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, herbertm, v-lianna |
| 9 | +ms.custom: |
| 10 | +- sap:active directory\user,computer,group,and object management |
| 11 | +- pcy:WinComm Directory Services |
| 12 | +--- |
| 13 | +# User or computer accounts have the lastLogonTimestamp value set to a future time |
| 14 | + |
| 15 | +This article helps resolve an issue in which user or computer accounts have the lastLogonTimestamp value set to a future time. |
| 16 | + |
| 17 | +You have an Active Directory (AD) domain and use AD queries to look for unused accounts. You query attributes like `pwdLastSet` and `lastLogonTimestamp` to determine which accounts are no longer used. |
| 18 | + |
| 19 | +Although using `lastLogonTimestamp` has its limitations due to Kerberos S4U updating the attribute, you notice that some actively used accounts have the `lastLogonTimestamp` value set to a future time. |
| 20 | + |
| 21 | +## Incorrect time on the local DC |
| 22 | + |
| 23 | +A domain controller (DC) might run with its system time set in the future. In this situation, if a user authenticates with the DC, the DC compares its local time with the time stored in the user account. Then, the DC updates the `lastLogonTimestamp` value as its current time is much more recent. |
| 24 | + |
| 25 | +The time on the DC might be incorrect due to a time synchronization issue with the virtual machine (VM) host, the Network Time Protocol (NTP) infrastructure, or [Secure Time Seeding (STS)](https://techcommunity.microsoft.com/blog/askds/secure-time-seeding-on-dcs-a-note-from-the-field/4238810). The DC might also revert to the correct time quickly, so you might not catch the problem in your reporting. |
| 26 | + |
| 27 | +As NTP prevents large time offsets between DCs from being distributed across the domain, incorrect timestamps might be kept local to a single DC. However, domain members follow their local DC's time, even when the DC detects a time skew during Kerberos requests. This is why Kerberos transactions still work in this situation. |
| 28 | + |
| 29 | +## Use the fixupObjectState attribute with LDIFDE to repair the object |
| 30 | + |
| 31 | +For previous versions of Windows, the approaches to resolve the issue are to: |
| 32 | + |
| 33 | +- Wait until the actual time surpasses the `lastLogonTimestamp` value of the user. |
| 34 | +- Ignore the `lastLogonTimestamp` value and use other metrics to identify orphaned accounts. |
| 35 | +- Delete the affected accounts and create new ones. |
| 36 | + |
| 37 | +In Windows Server 2025, there's a new facility to repair broken objects as specified in [[MS-ADTS]: fixupObjectState](/openspecs/windows_protocols/ms-adts/37294765-9e7d-41a1-aded-2d6f744eee8c). |
| 38 | + |
| 39 | +> [!NOTE] |
| 40 | +> There's functionality to correct missing `sAMAccountType` and `objectCategory` attributes. For more information, see [Can't edit or delete an AD object and receive the error "attribute is owned by the Security Accounts Manager (SAM)" or "The specified account does not exist"](cannot-edit-delete-ad-object-error-sam.md). |
| 41 | +
|
| 42 | +### Step 1: Identify the object name and globally unique identifier (GUID) |
| 43 | + |
| 44 | +For example: |
| 45 | + |
| 46 | +- Distinguished name (DN): `cn=brokenuser,ou=bad-users,dc=contoso,dc=com` |
| 47 | +- GUID: `cf2b4aca-0e67-47d9-98aa-30a5fe30dc36` |
| 48 | + |
| 49 | +### Step 2: Prepare an LDIFDE import file using the DN string or GUID-based syntax |
| 50 | + |
| 51 | +- Use the DN string: |
| 52 | + |
| 53 | + ```output |
| 54 | + DN: |
| 55 | + Changetype:modify |
| 56 | + add: fixupObjectState |
| 57 | + fixupObjectState: cn=brokenuser,ou=bad-users,dc=contoso,dc=com:LastLogonTimestamp |
| 58 | + - |
| 59 | + ``` |
| 60 | +
|
| 61 | + > [!NOTE] |
| 62 | + > The line with only a hyphen (`-`) and the empty line are required for a well-formed LDIFDE import file. |
| 63 | +
|
| 64 | +- Use the GUID-based syntax: |
| 65 | +
|
| 66 | + If your object name contains special characters, use Unicode for the LDIFDE import file, or use the GUID-based syntax. |
| 67 | +
|
| 68 | + An object name can also be expressed as `<guid=cf2b4aca-0e67-47d9-98aa-30a5fe30dc36>` in the GUID-based syntax. |
| 69 | +
|
| 70 | + So, the expression of `fixupObjectState: cn=brokenuser,ou=bad-users,dc=contoso,dc=com:LastLogonTimestamp` becomes `fixupObjectState: <guid=cf2b4aca-0e67-47d9-98aa-30a5fe30dc36>:LastLogonTimestamp`. |
| 71 | +
|
| 72 | + To use this syntax with the LDIFDE import file, you need to encode the text after the first colon in Base64 format because of the greater-than (>) and less-than (<) signs: |
| 73 | +
|
| 74 | + ```output |
| 75 | + fixupObjectState:: PGd1aWQ9Y2YyYjRhY2EtMGU2Ny00N2Q5LTk4YWEtMzBhNWZlMzBkYzM2PjpMYXN0TG9nb25UaW1lc3RhbXA= |
| 76 | + ``` |
| 77 | +
|
| 78 | + > [!NOTE] |
| 79 | + > The double colon shows the attribute value is in Base64 format. You can use the [Base64 encoder](https://www.bing.com/search?q=site%3Amicrosoft.com%20base64%20encoder&qs=n&form=QBRE&sp=-1&lq=0&pq=site%3Amicrosoft.com%20base64%20encoder&sc=0-33&sk=&cvid=CE994D44ADFC432CA2D3784CEBB3D934&ghsh=0&ghacc=0&ghpl=) to encode the string directly on the web. |
| 80 | +
|
| 81 | + After using the Base64 format, the import file becomes: |
| 82 | +
|
| 83 | + ```output |
| 84 | + DN: |
| 85 | + Changetype:modify |
| 86 | + add: fixupObjectState |
| 87 | + fixupObjectState:: PGd1aWQ9Y2YyYjRhY2EtMGU2Ny00N2Q5LTk4YWEtMzBhNWZlMzBkYzM2PjpMYXN0TG9nb25UaW1lc3RhbXA= |
| 88 | + - |
| 89 | + ``` |
| 90 | +
|
| 91 | +### Step 3: Repair the object using LDIFDE |
| 92 | +
|
| 93 | +Sign in as an Enterprise Administrator, and import the LDIFDE import file (for example, **repair-user.txt**) with the following command: |
| 94 | +
|
| 95 | +```console |
| 96 | +ldifde /i /f repair-user.txt |
| 97 | +Connecting to "<DC name>" |
| 98 | +Logging in as current user using SSPI |
| 99 | +Importing directory from file " repair-user.txt" |
| 100 | +Loading entries... |
| 101 | +1 entry modified successfully. |
| 102 | +``` |
| 103 | + |
| 104 | +Then, the object has the `lastLogonTimestamp` attribute value set to the current time. |
| 105 | + |
| 106 | +## References |
| 107 | + |
| 108 | +For more information about the usage of the `lastLogonTimestamp` attribute, see: |
| 109 | + |
| 110 | +- ["The LastLogonTimeStamp Attribute" - "What it was designed for and how it works"](/archive/blogs/askds/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works) |
| 111 | +- [How LastLogonTimeStamp is Updated with Kerberos S4u2Self](https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/257135) |
0 commit comments