In this article:
The motive of this activity is to figure out whether there are accounts that are still enabled, but has not been logged into the AD domain for months (or even years in some cases). There might be test accounts, staff on long leave etc in the mix and hence this exercise always output data that need to be acted on.
Staff on long leave surely needs to be disabled, the same goes for accounts that belonged to the staff who does not work in the organization anymore.
Even though it is quite easy to construct a one-liner that can give us this information using PowerShell, we need to be careful about which attribute we are basing our query on and what the differences are.
Get last logon report using PowerShell
Connect to Exchange Online
Get last login report in Office 365
# Get last logon timeLast Logon Time : $LastLogonExport Last Logon report in CSV
To export the last logon report in CSV file, run below PowerShell script. Make sure to replace the path where you want to save the CSV file.
# Create an array to store results # Get last logon time# Output the reportConclusion
Please join us on YouTube for the latest videos on the Cloud Technology, and join our Newsletter for the early access of the articles and updates.
As the domain has more than one domain controller I also want to make sure I get all the data.
Any thoughts?
Here my code:
$domainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
Write-Host "Create AD user report accross the following domaincontroller: $domaincontrollers"
# Create an empty array to store the results
$results = @()
$searchbase= "DC=XXX,DC=XX"
# Iterate through each domain controller and retrieve users
foreach ($dc in $domainControllers) { $users = Get-ADUser -Filter * -SearchBase $Searchbase -Properties SamAccountName, UserPrincipalName, LastLogonDate, Enabled, LockedOut, PasswordNeverExpires, CannotChangePassword, whenCreated | Select-Object SamAccountName, UserPrincipalName, @{Name="LastLogin"; Expression={$_.LastLogonDate}}, Enabled, LockedOut, PasswordNeverExpires, CannotChangePassword , whenCreated $results += $users
# Export the results to a CSV file
}
$resultfinal = $results | Select-Object * -Unique
$resultfinal| Export-Csv -Path c:\logging\data\AD_User_Report.csv -NoTypeInformationHowever often I simply get nothing back and I’m not sure why exactly. Probably it’s related the “unique” sorting option?
Understanding LastLogon and LastLogonTimeStamp Attributes:
- LastLogon Attribute: This attribute stores the most accurate last logon time for a user. However, it is not replicated across domain controllers, necessitating checking on each DC for the most recent time.
- LastLogonTimeStamp Attribute: While also providing last logon information, this attribute is designed to identify stale user accounts. It is replicated but has a latency of 9-14 days, making it less suitable for real-time last logon checks.
Step-by-Step Guide:
- Log into a Domain Controller:
- Ensure you are logged into a Domain Controller. If not, import the Active Directory PowerShell modules.
- Use Get-ADUser PowerShell cmdlet:
- Open PowerShell and execute the following command to retrieve the LastLogonDate for all domain users:
Get-ADUser -filter * -Properties "LastLogonDate" | select name, LastLogonDate - Note: To obtain the true last logon date, run the script on all domain controllers, as the LastLogon attribute is not replicated.
- Modify the PowerShell command to filter specific users:
Get-ADUser -filter {SamAccountName -eq 'username'} -Properties "LastLogonDate" | select name, LastLogonDate -3. Get Last Logon in the Last 30 Days:
- Use the following PowerShell command to retrieve the last logon date for users who logged in within the last 30 days:
Get-ADUser -filter {LastLogonDate -gt (Get-Date).AddDays(-30)} -Properties "LastLogonDate" | select name, LastLogonDateHow to find user’s last logon time using ManageEngine Free Active Directory Tools
- Download and Install ManageEngine Free Active Directory Tool.
- Begin by downloading the free tool from the official ManageEngine website.
- Follow the installation instructions to set up the tool on a system within your network.
- Launch the Tool and Connect to Active Directory.
- Once installed, launch the ManageEngine Free Active Directory Tool. In the main interface, locate the ‘AD Query’ tab.
- Here, you can connect to your Active Directory by providing the necessary credentials.
- Navigate to ‘Reports’ Section.
- This is where you will find a range of reporting options, including those related to user logon activities.
- Choose ‘User Logon Reports’.
- Click on it to access a variety of predefined reports designed to provide insights into user logon details.
- Select the Desired Report Type.
- Based on your specific needs, choose the type of report that aligns with the information you seek.
- Options may include ‘Last Logon Report’, ‘Users Not Logged in for the Last n Days’ and more.
- Customize Report Criteria.
- This customization allows you to tailor the report to meet your precise requirements.
- Generate the Report.
- Click on the ‘Generate’ button to initiate the report generation process.
- The tool will query Active Directory based on the specified criteria and compile the last logon information for the selected users.
- Review Last Logon Details.
- Once the report is generated, you will be presented with a detailed view of user logon information, including the last logon time for each user.
- Take note of this valuable data for further analysis or security audits.
- Export Report Data (Optional).
- If needed, the ManageEngine Free Active Directory Tool allows you to export the report data in various formats, such as CSV or PDF.
- This feature facilitates record-keeping, sharing information with stakeholders, or integrating the data into other management systems.
- Schedule Regular Logon Reports (Optional).
- To streamline the monitoring process, the tool enables you to schedule regular logon reports.
- Automation ensures that you receive timely updates on user logon activities without manual intervention.
- Utilize Advanced Features (Optional).
- Explore additional functionalities offered by the tool, such as ‘Inactivity Audit’ or ‘Threshold-based Alerting’.
- These advanced features enhance your ability to identify inactive accounts and set up proactive alerting for unusual logon patterns.
- Stay Mobile with ManageEngine App (Optional).
- For administrators on the move, ManageEngine provides a mobile app that grants access to critical information, including user logon details.
- Install the app on your mobile device for convenient and real-time management.
LastLogon vs LastLogonTimeStamp vs LastLogonDate
It’s important to understand the difference between the logon attributes as they are used for different reasons. When using PowerShell you will see three different lastlogon properties.
LastLogon
LastLogonTimeStamp
When to use? The LastLogonTimeStmap should be used to find stale accounts in Active Directory. Due to the delayed timestamp value, this attribute is not intended for creating last logon reports.
LastLogonDate
LastLogonDate is not an attribute its the calculated value of LastLogonTimeStamp when using PowerShell.
When to use? Use LastLogonDate when using PowerShell and you want an easy to read format of the LastLogonTimeStamp.
- Click on “User Reports” then click “Logon Reports” and “Last Logon Report”
- Click “Run” to get the last logon date for all users or click “Browse” to select an OU or group.
- Optionally, you can click the “Time” button to change the time range.
- Click “Run” to start the report.
Below is an example Last Logon Report from the toolkit. You can click “Export” and save to CSV, Excel, or PDF file.
Our Active Directory Reporting Tool includes over 200 built-in reports.
Find and Disable User Accounts Not Logged In The Last 3 Months
You can find the info about which accounts have not logged into the domain in the last 3 months and disable them in one go. Use the command below for this task.
#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date} | Disable-ADAccountPlease let me know if you have any questions in the comments section.
Get Last Logon 30 days
How to find last logon time for a single user
Click on View tab and make sure that Advanced features is turned on.
Look for the attribute LastLogon and LastLogonTimeStamp. These attributes will give you the necessary information. Why are we looking at two attributes for the same info you might ask.
Video Demo of Last Logon Date
Difference between LastLogon, LastLogonDate and LastLogonTimeStamp
If you are a large organization, you are better off using the LastLogonDate as this info gets replicated to all domain controllers. But (there is always a but), the info is replicated only if the ‘new’ value is older than 14 days compared to the previous value (not sure as to why it is this way!).
There is a third attribute LastLogonTimeStamp, which is a replica of the LastLogonDate, however, the output is not in a human readable date format. Also, this timestamp attribute is not just used for the logins, but rather the last time the account accessed something on the network – like connecting to the VPN etc .Check the three attributes info in the screenshot below.
To summarize, use LastLogon if you have have a couple of domain controllers and LastLogonDate if you are a bigger shop.
Find Last Logon Info For All Enabled Users Using PowerShell
Import-Module ActiveDirectory
Get-ADUser -Filter 'Enabled -eq $true' -Properties * | Select Name, LastLogonDate, samaccountnameYou can use the export-csv parameter to get the information out to a file.
Import-Module ActiveDirectory
Get-ADUser -Filter 'Enabled -eq $true' -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\EnabledUsersLoginInfo.csv -NoTypeInformationFind Last Logon Info For All Users Using PowerShell
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, LastLogonDate, samaccountnameImport-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, @{N=’Last Logon’; E={[DateTime]::FromFileTime($_.LastLogon)}}, samaccountname
You can use the export-csv parameter to get the information to play with in Excel.
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\AllUsersLoginInfo.csv -NoTypeInformationFind Last Logon Info For Single User Using PowerShell
Now that we know how to get the info using ADUC, run the command below to get the info using PowerShell.
Import-Module ActiveDirectory
Get-ADUser -Identity <username> -Properties LastLogonDateIf you are adamant that you want to use the non-human readable LastLogon attribute, you can use the command below to convert the info into something more meaningful.
Import-Module ActiveDirectory
Get-ADUser -Identity <username> -Properties * | Select Name, @{N=’Last Logon’; E={[DateTime]::FromFileTime($_.LastLogon)}}
Find Users Who Have Not Logged In The Last 90 Days
#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Filter 'LastLogonDate -lt $date' -Properties * | Select Name, LastLogonDate, samaccountname#Change 90 to whatever number of days you need.
$Date = (Get-Date).AddDays(-90)
Import-Module ActiveDirectory
Get-ADUser -Filter 'LastLogonDate -lt $date' -Properties * | Select Name, LastLogonDate, samaccountname | export-csv .\UsersNotLogged90Days.csv -NoTypeInformationSummary
If you have questions or comments please leave a comment below.
Option 2. Get AD Last Logon using PowerShell
Tip: Keep in mind to get the TRUE last logon date with PowerShell you would need to run the script on all domain controllers as the value is not replicated. The AD Pro Toolkit automatically gets the real last logon date and time from all domain controllers.
Step 1: Log into a Domain Controller
If you don’t run this from a DC, you may need to import the Active Directory PowerShell modules.
Step 2: Use Get-ADUser PowerShell cmdlet
Get-ADUser -filter * -Properties "LastLogonDate" | select name, LastLogonDateYou should get similar results to the screenshot below.
Get-ADUser -identity robert.allen -Properties "LastLogonDate" | select name, LastLogonDateGet-ADUser -filter * -Properties LastLogonDate,lastlogon | select name, lastlogon,LastLogonDate
