更改 Active Directory 中的 LastLogonDate 属性

Question

I am writing a script to disable old workstation objects (and I have to remake the wheel due to some unique things on my system). I'd like to make some test computer objects with known LastLogonDate to validate my script.

How can I, preferably just with PowerShell, set the LastLogonDate property to what I want it to be? I'd prefer it to be in PowerShell so I can include the necessary changes in order self-test my code when it runs. I am also heavily restricted on what programs can be placed on the network.

I haven't found a pure PowerShell solution, and TechNet indicates that Set-ADComputer doesn't have that functionality. In desperation I've tried running ADSIedit on a domain controller to set LastLogon and LastLogonTimestamp, but get error 0x209a (attribute is owned by the Security Accounts Manager).

Worst case scenario, I can use a previously disabled workstation but that workaround is getting a lot of frowns from my security folks.

Thank you.

Edit:

If I can figure out how to get around that "error 0x209a (attribute is owned by the Security Accounts Manager" issue, I think I can use the following PowerShell to set it:

Get-ADComputer -Identity <ComputerName> -Server <DomainController> | Set-ADObject -DisplayName <ComputerName> -Replace @{LastLogon=<NewTimeStamp>}

Where NewTimeStamp is the tick count of the date you want to set.

Answer 1

Do not modify! BothLastLogon andLastLogonTimeStamp are system-owned attributes and even if you found a way to bypass the restriction, you would most likely break the replication of the object.

There's nothing wrong with disabling and moving old unused computer objects. Your security folks would however hate you if you broke AD by doing unsupported modifications.

LastLogonDate is a virtual/calculated property created by the AD-module for easy access to a datetime-converted property of for the LastLogonTimeStamp -attribute.