The motive of this activity is to figure out whether there are accounts that are still enabled, but has not been logged into the AD domain for months (or even years in some cases). There might be test accounts, staff on long leave etc in the mix and hence this exercise always output data that need to be acted on.
Staff on long leave surely needs to be disabled, the same goes for accounts that belonged to the staff who does not work in the organization anymore.
Even though it is quite easy to construct a one-liner that can give us this information using PowerShell, we need to be careful about which attribute we are basing our query on and what the differences are.
There are number of ways in which we can find the last date and time someone logged into the domain – you might be querying for a single user, a subset of users or against the entire domain. Let’s tackle each case one by one.
Table of Contents
How to find last logon time for a single user
You can get this information using the Active Directory Users and Computers snap-in and PowerShell.
Follow the steps below to find the info using the graphical tool.
Launch Active Directory Users and Computers.
Click on View tab and make sure that Advanced features is turned on.
Navigate to the OU where the user account is and double click on the account to open up the properties page. The Attribute Editor tab is not visible if you find the user using the search option and double click on the account.
Look for the attribute LastLogon and LastLogonTimeStamp. These attributes will give you the necessary information. Why are we looking at two attributes for the same info you might ask.
Difference between LastLogon, LastLogonDate and LastLogonTimeStamp
A bit of theory – LastLogon information is local to the domain controller you are querying against. So if a user was last authenticated by DC01, this server will have the correct LastLogon info, whereas DC02 will have incorrect info or no info at all. LastLogon info is NOT replicated to other domain controllers. Hence, LastLogon is good if you are a small organization and only have one or two domain controllers.
If you are a large organization, you are better off using the LastLogonDate as this info gets replicated to all domain controllers. But (there is always a but), the info is replicated only if the ‘new’ value is older than 14 days compared to the previous value (not sure as to why it is this way!).
There is a third attribute LastLogonTimeStamp, which is a replica of the LastLogonDate, however, the output is not in a human readable date format. Also, this timestamp attribute is not just used for the logins, but rather the last time the account accessed something on the network – like connecting to the VPN etc .Check the three attributes info in the screenshot below.
To summarize, use LastLogon if you have have a couple of domain controllers and LastLogonDate if you are a bigger shop.
Find Last Logon Info For Single User Using PowerShell
Now that we know how to get the info using ADUC, run the command below to get the info using PowerShell.
Import-Module ActiveDirectory
Get-ADUser -Identity <username> -Properties LastLogonDateIf you are adamant that you want to use the non-human readable LastLogon attribute, you can use the command below to convert the info into something more meaningful.
Import-Module ActiveDirectory
Get-ADUser -Identity <username> -Properties * | Select Name, @{N=’Last Logon’; E={[DateTime]::FromFileTime($_.LastLogon)}}
Find Last Logon Info For All Users Using PowerShell
Run the command below to get the last login information for all users in the AD domain.
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, LastLogonDate, samaccountnameIf the user accounts have never logged into the domain, the LastLogonDate will be blank.
If you use the command below, you will have 1/1/1601 against users who have never logged into the domain.
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, @{N=’Last Logon’; E={[DateTime]::FromFileTime($_.LastLogon)}}, samaccountname
You can use the export-csv parameter to get the information to play with in Excel.
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\AllUsersLoginInfo.csv -NoTypeInformationFind Last Logon Info For All Enabled Users Using PowerShell
If you want to filter the output just to the user accounts thatare enabled, run the command below.
Import-Module ActiveDirectory
Get-ADUser -Filter 'Enabled -eq $true' -Properties * | Select Name, LastLogonDate, samaccountnameYou can use the export-csv parameter to get the information out to a file.
Import-Module ActiveDirectory
Get-ADUser -Filter 'Enabled -eq $true' -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\EnabledUsersLoginInfo.csv -NoTypeInformationFind Users Who Have Not Logged In The Last 90 Days
A commonly used task is to find the AD user accounts which has not been logged into the domain in the last x number of months, say 3 months.
Run the command below to find users who haven’t logged in the last 90 days. You can vary the number of days in the command based on the output required.
#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Filter 'LastLogonDate -lt $date' -Properties * | Select Name, LastLogonDate, samaccountnameExport the info using the block of commands below.
#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Filter 'LastLogonDate -lt $date' -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\UsersNotLogged90Days.csv -NoTypeInformationFind and Disable User Accounts Not Logged In The Last 3 Months
You can find the info about which accounts have not logged into the domain in the last 3 months and disable them in one go. Use the command below for this task.
#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date} | Disable-ADAccountPlease let me know if you have any questions in the comments section.
Great web site you’ve got here.. It’s hard to find quality writing like yours nowadays.
I really appreciate people like you! Take care!!
Thanks Eve.