AD DS: Get last logon for user
To get most accurat time date for a user last logonyou need to use both lastlogon and lastlogonTimestamp. lastlogon will only be triggered when an interactive logon is done. while lastlogontimestamp will be updated if lastlogon is newer than 14 days(ish) and if an logon is done by a service.
You can achieve this with powershell
function Get-UserLastLogonTime{
[CmdletBinding()]
param(
[Parameter(Mandatory,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)]
[String[]]$samaccountname
)
Begin{
$AdDnsRoot = (Get-ADDomain).DNSRoot
$domainController = Get-ADDomainController -filter * -server $AdDnsRoot
$array = @()
$samaccountname.Count
}
process{
foreach ($sam in $samaccountname){
$Properties = [ordered]@{
AccountName = $sam
DomainController = $null
Lastlogon = $null
LastLogonTimeStamp = $null
LastLogonDateTime = $null
}
$myobj = New-Object -TypeName psobject -Property $Properties
foreach ($dc in $domainController){
try {
$user = Get-ADUser -Identity $sam -Server $dc -Properties LastLogon,LastLogonTimeStamp,Enabled -ErrorAction Stop
}
catch{
if ($Error -like "*Cannot find an object with identity*"){
Write-Host "SamAccounName $sam was not found on DC $dc" -ForegroundColor Yellow
$ErrorOccured=$true
}
else {
Write-Warning $Error[0]
$ErrorOccured=$true
}
}
if (!$ErrorOccured){
if($myobj.Lastlogon -le [datetime]::FromFileTime($user.LastLogon)){
$myobj.Lastlogon = [datetime]::FromFileTime($user.LastLogon)
}
if($myobj.LastLogonTimeStamp -le [datetime]::FromFileTime($user.LastLogonTimeStamp)){
$myobj.LastLogonTimeStamp = [datetime]::FromFileTime($user.LastLogonTimeStamp)
}
if($myobj.LastLogonDateTime -lt $myobj.Lastlogon){
$myobj.LastLogonDateTime = $myobj.Lastlogon
$myobj.DomainController = $dc.Name
}
if($myobj.LastLogonDateTime -lt $myobj.LastLogonTimeStamp){
$myobj.LastLogonDateTime = $myobj.LastLogonTimeStamp
$myobj.DomainController = $dc.Name
}
}
}
$array += $myobj
}
}
End{
$array
}
}
Leave a Reply