Timestamps in Active Directory properties

Many AD properties that contain timestamps are in the FILETIME format, not Unix time (seconds since epoch) or etc. Convert with: 

PS H:\> $x = (Get-Date).ToFileTime() # instance public method
PS H:\> $x
133184427001875115
PS H:\> [DateTime]::FromFileTime($x) # class static function
17 January, 2023 09:25:00

https://learn.microsoft.com/en-us/dotnet/api/system.datetime.tofiletime
https://learn.microsoft.com/en-us/dotnet/api/system.datetime.fromfiletime

PowerShell ADUser objects have the LastLogonDate property, which is LDAP lastLogonTimestamp converted to a local DateTime. lastLogonTimestamp (and as such LastLogonDate) are only updated when the previous authentication request occurred longer ago than the value for the attribute msDS-LogonTimeSyncInterval (default 14 days). LDAP lastLogon is updated immediately but only on the domain controller used to log in with—it is not replicated.

Similar to the above badPasswordTime has the converted value LastBadPasswordAttempt and badPwdCount has BadLogonCount. Neither are replicated.

pwdLastSet has PasswordLastSet. It is replicated. A value of 0 and with userAccountControl not containing flag UF_DONT_EXPIRE_PASSWORD means the password is expired and must be set at next logon.

See also

https://ldapwiki.com/wiki/Lockouttime
https://stackoverflow.com/q/13091719#comment92927258_13091821
https://serverfault.com/a/959783

Tags

Left-click: follow link, Right-click: select node, Scroll: zoom
x