Post

User last logon on in 90 days in Active Directory

Posted Updated
By
3 min read
User last logon on in 90 days in Active Directory

Hello, As a system administrator, it is important to track the last logon timestamps of Active Directory (AD) user accounts, ensure network security, and review old and inactive users. In this article, I will explain the differences between attributes such as LastLogon, LastLogonTimeStamp, and what LastLogonDate is, and how to obtain this information.

✅ LastLogon: ***This value is used to determine the exact logon time. However, it is not replicated across other domain controllers, which requires checking for each DC. Because users may have logged in to different DCs. This attribute is updated instantly with each logon.

✅ LastLogonTimeStamp: This value is an attribute in Active Directory that allows tracking user logon information more centrally. This value is not updated immediately for each logon. (Default is updated with a delay of 9-14 days) However, it is replicated among other domain controllers and becomes a common source of information among all DCs. *** However, it cannot be used to determine the exact logon time!

📜 LastLogonDate: LastLogonDate is not an attribute! It is the conversion of LastLogonTimeStamp from raw format to a readable date format using PowerShell. You cannot access this data directly from the Active Directory management interface, but you can read the data using PowerShell.

Sample Raw Format: 133720509101693344 etc.

📌 The following scripts are only used for user accounts. If you want to use them on computer accounts, you need to change Get-ADUser to Get-ADComputer.

🎯LastLogonDate Check:

#All Users:
Get-ADUser -Filter * -Properties lastLogon | Select name, surname, samaccountname, @{Name="lastLogon";Expression={[datetime]::FromFileTime($_.'lastLogon')}}

#Spesfic OU:
Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=uyeler,DC=guler,DC=com" -Properties LastLogon | Select-Object -Property SamAccountName, Name, Surname, @{n="LastLogonDate"; e={[datetime]::FromFileTime($_.LastLogon)}}

#Spesific User:
Get-ADUser -Identity "hakan" -Properties “LastLogon” | Select Name, @{N=’LastLogon:’; E={[DateTime]::FromFileTime($_.LastLogon)}}

#90 days LastLogondate:
$When = ((Get-Date).AddDays(-10)).ToFileTime()
Get-ADUser -Filter * -SearchBase "OU=personel,DC=guler,DC=com" -Properties samaccountname, givenName, surname, lastLogon | 
Where-Object { $_.lastLogon -lt $When -and $_.lastLogon -ne $null } |
Select-Object name, surname, samaccountname, @{Name="lastLogon"; Expression={[datetime]::FromFileTime($_.'lastLogon')}}

#90 days LastLogondate Disabled:
$When = ((Get-Date).AddDays(-90)).ToFileTime()
Get-ADUser -Filter * -SearchBase "OU=personel,DC=guler,DC=com" -Properties samaccountname, givenName, surname, lastLogon |
Where-Object { $_.lastLogon -lt $When -and $_.lastLogon -ne $null } |
ForEach-Object { Disable-ADAccount -Identity $_.samaccountname }

---NOTE:
#Users who have never logged in [12/31/1600 4:00:00 PM]
SamAccountName Name  Surname LastLogonDate        
-------------- ----  ------- -------------
yasin          yasin gencer  12/31/1600 4:00:00 PM
mert           mert          12/31/1600 4:00:00 PM
esin           esin  yildiz  12/31/1600 4:00:00 PM

🔀Multi DC's Spesific User LastLogonDate Check:

foreach ($dc in Get-ADDomainController -Filter *)
   { $user = Get-ADUser "hakan" -Server $dc.HostName -Properties LastLogon
    [PSCustomObject]@{
        Domain    = $dc.HostName
        Name      = $user.Name
        LastLogon = if ($user.LastLogon) { 
            [DateTime]::FromFileTime($user.LastLogon) } else { [DateTime]::FromFileTime(0) }}}

🔍LastLogonTimeStamp Check:

***NOTE: Cannot be used to determine exact login time!

#Spesfic OU:
Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=uyeler,DC=guler,DC=com" -ResultPageSize 0 -Properties lastLogonTimestamp | Select-Object samaccountname, name, surname, @{n="lastLogonTimestamp";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}}

#Spesific User:
Get-ADUser -Identity "hakan" -Properties LastLogondate | Select-Object -Property Name, LastLogonDate

#90 days LastLogonTimeStamp:
Get-ADUser -Filter {enabled -eq $true} -SearchBase "OU=uyeler,DC=guler,DC=com" -SearchScope Subtree -Properties SamAccountName, Name, Surname, lastLogonTimeStamp | 
Select-Object SamAccountName, Name, Surname, @{Name="lastLogonTimeStamp"; Expression={[datetime]::FromFileTime($_.lastLogonTimeStamp)}}

#90 days LastLogonTimeStamp Disabled:
$When = (Get-Date).AddDays(-90).ToFileTime()
Get-ADUser -Filter * -SearchBase "OU=personel,DC=guler,DC=com" -Properties SamAccountName, LastLogonTimestamp | 
Where-Object { $_.LastLogonTimestamp -lt $When -or $_.LastLogonTimestamp -eq $null } |
ForEach-Object { Disable-ADAccount -Identity $_.DistinguishedName }

📌📌📌 Users who have never logged in will not be found in searches, you can change this if you want.

Find active users under specific OUs: -Filter {Enabled -eq $true}

Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=personel,DC=guler,DC=com" -Properties SamAccountName | Select-Object SamAccountName, Name, Surname

📝Data Exporting:

| Export-Csv -Path "C:\Users_report.csv" -NoTypeInformation

Stop stealing labor! because time and sweat are inestimable. #TheGuler

Active Directory
This post is licensed under CC BY 4.0 by the author.