The Active Directory administrator must periodically find and disable inactivate objects in AD. In this article, we will show how to get the last logon time for the AD domain user and find accounts that have been inactive for more than 90 days.
How to Get a User’s Last Logon Time Using ADUC?
You can find out the last logon time for the domain user with the ADUC graphical console (Active Directory Users and Computers).
- Run the console dsa.msc;
- In the top menu, enable the option View > Advanced Features;
- Find the user in the AD tree and open its properties;
- Click on the tab Attribute Editor;
- In the list of attributes, find lastLogon. This attribute contains the time the user was last logged in the domain.
Note. You can see two similar attributes on the screenshot above — lastLogon and lastLogonTimestamp. What’s the difference between them?
- lastLogon attribute is updated when the user logs on to the domain. But it only changes on the domain controller that authenticated the user, and is not replicated to other domain controllers. Therefore, if there are multiple domain controllers at different AD sites, you will have to check this attribute on each of them and then compare the resulting data. The value of this attribute on different DCs for the user can be different or even zero (if the user has never been authenticated on this DC);
- lastLogonTimeStamp attribute is also changed when the user logs on to the domain controller and is replicated to other DCs. However, replication of this attribute takes a long time (this attribute is replicated only if its value is 14 days or older than the previous one). Therefore, the data in this attribute on a specific DC may not be relevant.
Find Last Logon Time Using CMD
You can find out the time the user last logged into the domain from the command line using the net or dsquery tools.
Open a command prompt (you don’t need domain administrator privileges to get AD user info), and run the command:
net user administrator /domain| findstr "Last"
You got the user’s last logon time: 08.08.2019 11:14:13.
You can also get the last logon time using dsquery. For example:
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=administrator))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0
The main problem is that the attributes lastLogon and lastLogonTimestamp are stored in timestamp format in AD, and you need to additionally convert it to a normal time format.
You can also use this command to find all users who are inactive, for example, for 10 weeks:
dsquery user domainroot -inactive 10
Find Last Logon Time Using PowerShell
You can also use PowerShell to get the user’s last domain logon time. For this, you need to use the Active Directory module for Windows PowerShell. Install this module and import it into your PowerShell session:
Import-Module ActiveDirectory
To find the last logon time for the domain administrator account, run the command:
Get-ADUser -Identity administrator -Properties LastLogon
The cmdlet returned the time in Timestamp format. To convert it to a normal time, use the following command:
Get-ADUser -Filter {Name -eq "administrator"} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}
Using PowerShell, you can display the last logon time for all enabled domain users:
Get-ADUser -filter {enabled -eq $true} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}|Sort-Object LastLogon -Descending
Or you can find users who are inactive for more than 90 days:
$date1= (Get-Date).AddDays(-90)
Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | ftAfter identifying inactive accounts, we recommend you disable those users’ accounts, wait a few weeks, and then delete the accounts if no problems have been reported. You can disable inactive users using the Disable-ADAccount cmdlet:
Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | Disable-ADAccountSimilarly, you can get the last logon time for computer objects in a domain. The following command will list all computers that have been inactive for more than 90 days:
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | Sort LastLogonDate | FT Name, LastLogonDate -AutosizeHint. You can get the detailed user logon history only from the security event logs of domain controllers.
Get Last Logon for User across All Domain Controllers
As we said earlier, if there are several domain controllers in your domain, then the lastlogon value on them may differ. If a user has been inactive for more than 14 days, the easiest way is to get the value of the lastLogonTimeStamp attribute from any domain controller. However, if you don’t know which site or DC the user was last authenticated on, you will have to query all domain controllers in the AD to get the user’s last logon date.
The following PowerShell script loop through all domain controllers in the domain and gets the value of the lastLogonTime attribute from each of them. The result is exported to a CSV file:
$userlogonname='bjackson'
$csvoutputfile='c:\ps\lastlogon_from_all_dcs.csv'
$resultlogonhistory=@()
Import-Module ActiveDirectory
$DCs=(Get-ADDomainController -Filter *).Name
foreach ($DC in $DCs) {
Try {
$aduser=Get-ADUser $userlogonname -Server $DC -Properties lastlogon -ErrorAction Stop
$resultlogonhistory +=New-Object -TypeName PSObject -Property ([ordered]@{
'User' = $userlogonname
'DC' = $dc
'LastLogon' = [datetime]::FromFileTime($aduser.'lastLogon')
})
}
Catch {
Write-host "Can’t connect DC $($dc)!"
}
}
$resultlogonhistory|Export-CSV -path $csvoutputfile -NoTypeInformation -Delimiter "," -Encoding UTF8
If you need to quickly find the maximum user LastLogon value from all DCs, use the following one-liner:
[datetime]::FromFileTime((Get-ADDomainController -Filter * | foreach {Get-ADUser 'bjackson' -Properties LastLogon -Server $_.Name | select LastLogon} | Measure-Object -Property LastLogon -Maximum).Maximum)
- How to Setup Gmail in Outlook? - October 14, 2021
- How to Clear Browsing History in Safari on iPhone/iPad? - October 11, 2021
- Allow Non-administrators to Install Printer Drivers via GPO - October 1, 2021
