Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Active Directory date/timestamp fields are not accurate, why?

Posted on 2005-04-21
Medium Priority
Last Modified: 2008-03-10
I have the following code that returns a specific property for a given user in Active Directory.  However, whenever I try to convert the lastLogonTimestamp dates and various other dates they don't seem to be accurate.  They are close, usually just off by a few hours or minutes.  Here is the function I'm using to return any given user's property (ie: cn, displayName, telephoneNumber, etc.)

Also to convert the 100-nanosecond interval long integer fields (ie: lastLogonTimestamp) I use the following code:
Date.FromFileTime(getUIDProperty(userID, "lastLogonTimestamp").ToString).ToString()

It still comes out wrong by only a few hours or even minutes.  Any help is appreciate, TIA!

    Function getUIDProperty(ByVal uid As String, ByVal uid_parameter As String) As String
            Dim sPath As String = "LDAP://<connection>"
            Dim myDirectory As New DirectoryEntry(sPath, "<username>", "<pw>", DirectoryServices.AuthenticationTypes.Secure) 'pass the user account and password for your Enterprise admin.
            Dim mySearcher As New DirectorySearcher(myDirectory)
            Dim mySearchResultColl As SearchResultCollection
            Dim mySearchResult As SearchResult
            Dim myResultPropColl As ResultPropertyCollection
            Dim myResultPropValueColl As ResultPropertyValueCollection
            'Build LDAP query
            mySearcher.Filter = ("(&(objectClass=user)(samaccountname=" & uid & "))")
            mySearchResultColl = mySearcher.FindAll()
            'I expect only one user from search result
            Select Case mySearchResultColl.Count
                Case 0
                    Return "Null"
                    Exit Function
                Case Is > 1
                    Return "Null"
                    Exit Function
            End Select

            'Get the search result from the collection
            mySearchResult = mySearchResultColl.Item(0)

            'Get the Properites, they contain the usefull info
            myResultPropColl = mySearchResult.Properties

            'displayname, mail
            'Retrieve from the properties collection the display name and email of the user
            myResultPropValueColl = myResultPropColl.Item(uid_parameter)
            Return CStr(myResultPropValueColl.Item(0))

        Catch ex As System.Exception
            Return ""
        End Try
    End Function
Question by:RobinsRL
  • 5
  • 2
LVL 20

Expert Comment

ID: 13835951
Not very sure if you have done it correctly, since the "lastLogonTimestamp" attribute actually returns 64-bit integers value.

As what microsoft documentation suggests

this is the code in VB.NET
LVL 20

Expert Comment

ID: 13836012
More importantly, event if there's nothing wrong with your code. You may not get the last updated last logon value from the attribute. It is said, lastLogonTimestamp's value is only updated when the user logs in if a week has passed since the last update. Just keep that in mind.

Author Comment

ID: 13840047
Ok, is "lastLogon" as inaccurate as lastLogonTimestamp?

There seems to be a discrepency with a bunch of these date fields (ie: badPasswordTime, pwdLastSet).  Any fix to this?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 20

Expert Comment

ID: 13841541
lastLogonTimestamp and lastLogon attribute has the same data type, but with some different working manners. lastLogonTimestamp attribute is replicated across DCs in domain but its value is updated after a week or more ago (If I'm not wrong this is configurable). With lastLogon attribute, you should always get the actual last logon. However, this attribute isn't replicated and you'd have to query every DC in the domain and keep track of the most recent one.
LVL 20

Accepted Solution

ihenry earned 2000 total points
ID: 13841582
Similarly, badPasswordTime attribute is stored in each DC. For an accurate value for the user's last incorrect password time in the domain, you must query each DC in domain; the largest one is the accurate value.

And I guess the same thing happens to pwdLastSet attribute. I'm not very sure, though.

Author Comment

ID: 13906140
How exactly are you supposed to convert that long integer into a useable and accurate date?  
LVL 20

Expert Comment

ID: 13910526
Have you tried the link I posted above?

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
Screencast - Getting to Know the Pipeline
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question