In an Active Directory environment, if I set up a Windows service on a domain member computer to run under an Active Directory user account (commonly known as a service account) and that service remains running without any reboots or restarts for an entire year, will the LastLogonTimestamp for that service account's user object keep updating? For example, I'm using the MSSQL Engine service that runs as contososql-service. I'm curious about how the LastLogonTimestamp behaves in this scenario.
4 Answers
Nope, LastLogonTimestamp only updates when there are actual logon events. It's intended to help identify stale accounts and is only updated during authentication, with an accuracy within approximately 14 days. So just running the service won’t extend or change the timestamp.
I don't think the LastLogonTimestamp would change unless you restart the server that's running the service under that account.
Not likely. Instead, you might want to look into using a gMSA (Group Managed Service Account) for better management.
Thanks for the suggestion! I'll check out gMSAs.
You're correct, the LastLogonTimestamp remains static unless there's a logon event. I monitored a service account and found that even a TGT Renewal doesn’t update the LastLogonTimestamp. Plus, while this timestamp is replicated, it has a 14-day delta, so for the most precise information, you’d have to check each Domain Controller individually.
Thanks for clarifying! So it really is tied to logon events only.
Got it! So I'd need to restart something for the timestamp to budge?