I am trying to get the LastLogon details for Users in AD, complete with the name of the workstation they used to do so.
For some reason Microsoft do not consider that sort of information all that important
I can use get-aduser to find the ‘LastLogon’ for each user. As MS do not replicate that, I have to do so on every Domain Controller (19 of them including Branch Offices) and find the most recent value from those.
Then I can search the EventLogs with get-eventlog and get the ‘TimeGenerated’ values - then try to match the two results to find which event corresponds to the ‘LastLogon’.
Then I can parse the ‘Message’ field of the Event to find the IP address of the workstation used.
Then I can resolve that with DNS to get the hostname of the workstation.
Unfortunately, for some reason, the value of ‘LastLogon’ in the User ID in AD is stored with as much as 7 decimal places of seconds - whereas the ‘TimeGenerated’ value in the EventLog is only stored in full seconds - both on the same Domain Controller.
Also, the Eventlog seems to record about a dozen 4624 (logon) entries at more or less the same moment (probably as each drive letter is mapped to different volumes on the SAN). How am I supposed to identify which one of these corresponds to the ‘LastLogon’ if they are all logged as integer values when exact same entries (or one of them) are stored in AD with full precision (i.e. as Real values)? This has to be the same data - so why are they stored to differing levels of precision?
Any ideas please?
(Here’s hoping this posts successfully )