The Active Directory ambassador must periodically observe and disable inactivate objects in AD. In this article, we will show how to get the last logon time for the AD domain user and find accounts that take been inactive for more than xc days.

How to Get a User'due south Final Logon Time Using ADUC?

You can find out the last logon fourth dimension for the domain user with the ADUC graphical panel (Agile Directory Users and Computers).

  1. Run the panel dsa.msc;
  2. In the top bill of fare, enable the choice View > Advanced Features;
    active directory last logon computer
  3. Find the user in the Advertising tree and open its backdrop;
  4. Click on the tab Attribute Editor;
  5. In the list of attributes, discover lastLogon. This aspect contains the time the user was last logged in the domain.
    active directory computer last logon

Notation. You lot tin see two similar attributes on the screenshot above — lastLogon and lastLogonTimestamp. What's the difference between them?

  • lastLogon attribute is updated when the user logs on to the domain. Only information technology only changes on the domain controller that authenticated the user, and is not replicated to other domain controllers. Therefore, if there are multiple domain controllers at dissimilar AD sites, y'all will have to check this attribute on each of them then compare the resulting information. The value of this attribute on dissimilar DCs for the user can be unlike or fifty-fifty zero (if the user has never been authenticated on this DC);
  • lastLogonTimeStamp aspect is also changed when the user logs on to the domain controller and is replicated to other DCs. Yet, replication of this attribute takes a long fourth dimension (this attribute is replicated simply if its value is 14 days or older than the previous one). Therefore, the information in this attribute on a specific DC may not be relevant.

Notice Last Logon Time Using CMD

Yous tin can find out the time the user last logged into the domain from the command line using the net or dsquery tools.

Open a command prompt (yous don't need domain administrator privileges to go AD user info), and run the control:

net user administrator /domain| findstr "Last"

You got the user's last logon time: 08.08.2019 eleven:14:13.

last logon computer active directory

Yous tin also get the last logon time using dsquery. For case:

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=administrator))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0

The main problem is that the attributes lastLogon and lastLogonTimestamp are stored in timestamp format in AD, and you need to additionally catechumen it to a normal time format.

get-aduser last logon computer

You can besides use this command to find all users who are inactive, for example, for 10 weeks:

dsquery user domainroot -inactive 10

Detect Final Logon Time Using PowerShell

You lot can also use PowerShell to get the user's last domain logon fourth dimension. For this, yous demand to use the Active Directory module for Windows PowerShell. Install this module and import it into your PowerShell session:

Import-Module ActiveDirectory

To find the last logon time for the domain ambassador account, run the control:

Get-ADUser -Identity administrator -Backdrop LastLogon

The cmdlet returned the time in Timestamp format. To convert it to a normal fourth dimension, utilize the following control:

Get-ADUser -Filter {Proper name -eq "ambassador"} -Properties * | Select-Object Name, @{N='LastLogon'; East={[DateTime]::FromFileTime($_.LastLogon)}}

powershell last logon computer

Using PowerShell, you tin can display the concluding logon time for all enabled domain users:

Get-ADUser -filter {enabled -eq $true} -Properties * | Select-Object Proper name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}|Sort-Object LastLogon -Descending

powershell script to get last logon user on computer

Or you lot can find users who are inactive for more than than 90 days:

$date1= (Get-Engagement).AddDays(-ninety)  Go-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | ft

Afterward identifying inactive accounts, we recommend you disable those users' accounts, wait a few weeks, and and so delete the accounts if no problems have been reported. You tin can disable inactive users using the Disable-ADAccount cmdlet:

Go-ADUser -Backdrop LastLogonDate -Filter {LastLogonDate -lt $date1} | Disable-ADAccount

Similarly, you can get the last logon time for computer objects in a domain. The following command will list all computers that have been inactive for more than 90 days:

Become-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

Hint. You can get the detailed user logon history only from the security event logs of domain controllers.

Get Concluding Logon for User across All Domain Controllers

As we said earlier, if there are several domain controllers in your domain, and then the lastlogon value on them may differ. If a user has been inactive for more than than 14 days, the easiest way is to get the value of the lastLogonTimeStamp attribute from any domain controller. However, if yous don't know which site or DC the user was terminal authenticated on, you will have to query all domain controllers in the AD to get the user'south last logon date.

The following PowerShell script loop through all domain controllers in the domain and gets the value of the lastLogonTime aspect from each of them. The result is exported to a CSV file:

$userlogonname='bjackson'  $csvoutputfile='c:\ps\lastlogon_from_all_dcs.csv'  $resultlogonhistory=@()  Import-Module ActiveDirectory  $DCs=(Get-ADDomainController -Filter *).Proper name   foreach ($DC in $DCs) {   Try {  $aduser=Get-ADUser $userlogonname -Server $DC -Properties lastlogon -ErrorAction Stop       $resultlogonhistory +=New-Object -TypeName PSObject -Property ([ordered]@{      'User' = $userlogonname      'DC' = $dc      'LastLogon' = [datetime]::FromFileTime($aduser.'lastLogon')  })  }  Grab {  Write-host "Can't connect DC $($dc)!"  }  }  $resultlogonhistory|Export-CSV -path $csvoutputfile -NoTypeInformation -Delimiter "," -Encoding UTF8

active directory computer last logon user

If you need to quickly find the maximum user LastLogon value from all DCs, apply the following one-liner:

[datetime]::FromFileTime((Go-ADDomainController -Filter * | foreach {Go-ADUser 'bjackson' -Properties LastLogon -Server $_.Name | select LastLogon} | Measure-Object -Property LastLogon -Maximum).Maximum)
  • Author
  • Contempo Posts

Cyril Kardashevsky

I enjoy technology and developing websites. Since 2012 I'1000 running a few of my ain websites, and share useful content on gadgets, PC administration and website promotion.

Cyril Kardashevsky