Find AD User’s Last Logon Time Using PowerShell

How to find AD users last logon info using PowerShell

The motive of this activity is to figure out whether there are accounts that are still enabled, but has not been logged into the AD domain for months (or even years in some cases). There might be test accounts, staff on long leave etc in the mix and hence this exercise always output data that need to be acted on.

Staff on long leave surely needs to be disabled, the same goes for accounts that belonged to the staff who does not work in the organization anymore.

Even though it is quite easy to construct a one-liner that can give us this information using PowerShell, we need to be careful about which attribute we are basing our query on and what the differences are.

There are number of ways in which we can find the last date and time someone logged into the domain – you might be querying for a single user, a subset of users or against the entire domain. Let’s tackle each case one by one.

How to find last logon time for a single user

You can get this information using the Active Directory Users and Computers snap-in and PowerShell.

Follow the steps below to find the info using the graphical tool.

Launch Active Directory Users and Computers.

Click on View tab and make sure that Advanced features is turned on.

Navigate to the OU where the user account is and double click on the account to open up the properties page. The Attribute Editor tab is not visible if you find the user using the search option and double click on the account.

Look for the attribute LastLogon and LastLogonTimeStamp. These attributes will give you the necessary information. Why are we looking at two attributes for the same info you might ask.

Difference between LastLogon, LastLogonDate and LastLogonTimeStamp

A bit of theory – LastLogon information is local to the domain controller you are querying against. So if a user was last authenticated by DC01, this server will have the correct LastLogon info, whereas DC02 will have incorrect info or no info at all. LastLogon info is NOT replicated to other domain controllers. Hence, LastLogon is good if you are a small organization and only have one or two domain controllers.

If you are a large organization, you are better off using the LastLogonDate as this info gets replicated to all domain controllers. But (there is always a but), the info is replicated only if the ‘new’ value is older than 14 days compared to the previous value (not sure as to why it is this way!).

There is a third attribute LastLogonTimeStamp, which is a replica of the LastLogonDate, however, the output is not in a human readable date format. Also, this timestamp attribute is not just used for the logins, but rather the last time the account accessed something on the network – like connecting to the VPN etc .Check the three attributes info in the screenshot below.

To summarize, use LastLogon if you have have a couple of domain controllers and LastLogonDate if you are a bigger shop.

Find Last Logon Info For Single User Using PowerShell

Now that we know how to get the info using ADUC, run the command below to get the info using PowerShell.

If you are adamant that you want to use the non-human readable LastLogon attribute, you can use the command below to convert the info into something more meaningful.

Find Last Logon Info For All Users Using PowerShell

Run the command below to get the last login information for all users in the AD domain.

If the user accounts have never logged into the domain, the LastLogonDate will be blank.

If you use the command below, you will have 1/1/1601 against users who have never logged into the domain.

You can use the export-csv parameter to get the information to play with in Excel.

Find Last Logon Info For All Enabled Users Using PowerShell

If you want to filter the output just to the user accounts thatare enabled, run the command below.

You can use the export-csv parameter to get the information out to a file.

Find Users Who Have Not Logged In The Last 90 Days

A commonly used task is to find the AD user accounts which has not been logged into the domain in the last x number of months, say 3 months.

Run the command below to find users who haven’t logged in the last 90 days. You can vary the number of days in the command based on the output required.

Export the info using the block of commands below.

Find and Disable User Accounts Not Logged In The Last 3 Months

You can find the info about which accounts have not logged into the domain in the last 3 months and disable them in one go. Use the command below for this task.

Please let me know if you have any questions in the comments section.

Other Popular Articles


Promote Windows 2025 To Domain Controller

Promote Windows Server 2025 To Domain Controller

Force Ping To Respond With An IPv4 Address

Force Ping To Respond With IPv4 Address

How To Fix GetADGroupMember Size Limit Exceeded Error

Get-ADGroupMember – The size limit for this request was exceeded error

2 thoughts on “Find AD User’s Last Logon Time Using PowerShell”

  1. Great web site you’ve got here.. It’s hard to find quality writing like yours nowadays.
    I really appreciate people like you! Take care!!

    Reply

Leave a Comment