Lastlogon query in Active Directory

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 7 months ago.

  • Author
  • #6275

    by Christopher.Ellis at 2013-02-14 07:23:59

    What command syntax do I user for users lastlogon within 30 days ? Would the results vary if i run the query against a Domain controller and the user authenticates against another Domain Controller

    I an new to powershell and not good at scripting. Thank you

    by ArtB0514 at 2013-02-14 08:42:50

    Use the lastLogonTimetamp property. It's replicated, so you won't need to check every domain controller. BUT, it's not guaranteed to be accurate for less than about 2 weeks. As long as you only care about less than 30 days (rather than abolute accuracy) you won't have any problems. See for more detail.

    by Christopher.Ellis at 2013-02-14 10:25:13

    You have enlighted me on the replication of AD, however i do not know the syntax to query in powershell, the link attachment mentions the properties of last logon however what would I type at the powershell prompt?

    by ArtB0514 at 2013-02-14 11:26:20

    You will need either the Quest ( or the Microsoft (part of the RSAT) active directory addins. Then a little script like this will collect the data for you:

    Quest]$Since = (Get-Date).AddDays(-30).Date
    $ActiveUsers = Get-QADUser | Where-Object {$_.lastLogonTimestamp -lt $Since}[/powershell]

    Microsoft RSAT]$Since = (Get-Date.AddDays(-30).Date
    $ActiveUsers = Get-ADUser -Filter * | Where-Object {$_.lastLogonTimestamp -lt $Since}[/powershell]

    Then you have to decide what you want to do with the collection of user information that has been stored in the $ActiveUsers array.

    For more information about PowerShell and how to use it, I suggest that you check out and the books section link at the top of this page.

    by Christopher.Ellis at 2013-02-19 09:16:13

    I entered the following: get-aduser -filter * -property LastlogonTimeStamp

    Sample results

    DistinguishedName : CN=Sharon.Stull,OU=Head Office – 2713 Lancasterservices,DC=ca
    Enabled : True
    GivenName : Sharon
    LastlogonTimeStamp : 130057575269700024
    Name : Sharon.Stull
    ObjectClass : user
    ObjectGUID : 31869ab5-f5c4-496e-9f79-3e856d686c6c
    SamAccountName : Sharon.Stull
    SID : S-1-5-21-1140152784-10511339-5522801-4049
    Surname : Stull
    UserPrincipalName :

    question how do i get LastlogonTimeStamp : 130057575269700024 to be read in a proper format?

    by ArtB0514 at 2013-02-19 10:11:57

    Sorry about that. Quest does the conversion for you. With the Microsoft tools, you need to do this:
    The easiest way is probably to do a Select-Object for the properties that you want during the data collection phase:
    $Since = (Get-Date.AddDays(-30).Date
    $ActiveUsers = Get-ADUser -Filter * | Where-Object {$_.lastLogonTimestamp -lt $Since} |
    Select SamAccountName,Enabled,GivenName,SurName,@{Name='Last Logon';Expression={[System.DateTime]]
    and add any other properties you need to that comma separated list.

You must be logged in to reply to this topic.