The lastLogonTimestamp attribute
is replicated across all the domain controllers in a Windows Server 2003 domain
functionality level domain. It is updated for Kerberos and NTLM
interactive logons.
Windows Server 2003 does NOT update the lastLogonTimestamp attribute when you perform:
Certificate mapping through Microsoft Internet Information Services (IIS).
Username and password authentication through IIS.
Microsoft .NET Passport mapping through IIS.
All Service-for-User (S4U)
authentication paths.
NOTE: The DSQUERY USER DOMAINROOT -inactive weeks
command uses the lastLogonTimestamp attribute.