Get-ADuser 'LastLogon' empty, but ADSI Edit has information?

PowerShell Help
1

Hi all,

 

I have been reuqested to report on last logins for users…I have tried Get-ADUser:

[pre]

get-aduser -filter {enabled -eq $True} -properties lastlogontimestamp, passwordlastset, passwordneverexpires |ft Name, passwordlastset, passwordneverexpires, @{Name=“Last Logon”;Expression={([datetime]::FromFileTime($_.LastLogonTimeStamp))}} | Out-File -file “$ADReports$D Password and Logons $Date.txt”

[/pre]

but alot of the entries are blank. When I query the user specifically, LastLogonTimeStamp is empty…however, if I use ADSIEdit, and browse to the correct OU, I can see there is data stored for that user? There’s only one Domain Controller aswell, so can’t work out why I’m not reproducing the same result with Get-ADuser…is there anything I need to synchronise for the ADSIEdit information to populate with Get-ADuser?

 

Thanks

 

Jason

2

There are different “lastLogon” attributes. Maybe you’re using the wrong one. See the answer from Richard Mueller in this thread. It might help you.

https://social.technet.microsoft.com/Forums/office/en-US/eba1b4da-dc88-42db-b596-fdfb8f8222db/powershell-getaduser-question?forum=ITCG#e1657a61-6979-4f3d-bf0c-c4d2d17dd4ed

Edit: If I understand it right you should use the attribute lastLogon and you will have to “calculate” it to make it human readable. Something like this should work actually

Get-ADUser -Identity “sAMAccountName” -Properties lastLogon,LastLogonDate |

Select-Object *,@{Name=‘LastLogonReadable’;Expression={  [DateTime]::FromFileTime($_.LastLogon)  }}

3

hi, thanks Olaf, no luck I’m afraid…just tested on a user:

 

[pre]

DistinguishedName :
GivenName : Mark
LastLogonDate :
Name :
ObjectClass : user
ObjectGUID : 03382a95-c4fb-4cd3-b489-a1dc9d00748b
SamAccountName :
SID : S-1-5-21-2103417339-1537711377-xxxxxxx
Surname :
UserPrincipalName :
Enabled :
PropertyNames : {DistinguishedName, GivenName, LastLogon, LastLogonDate…}
AddedProperties : {}
RemovedProperties : {}
ModifiedProperties : {}
PropertyCount : 10
LastLogonReadable : 01/01/1601 00:00:00

[/pre]

however, if i go through ADSIEdit, I have entries for LastLogon and LastLogonTimestamp for the same user?

4

Bear in mind that LastLogon is not replicated - it’s per-DC. So it’s possible that ADSIEdit is connecting to a DC that has the data, which would be the one the user is authenticating to, but your command is connecting to something different.

LastLogonTimestamp replicates, but on a “slow” track. It can take time to make it to every DC.

It’s worth reading up on how those two properties work, as they’re pretty tricky to actually worth with due to the way AD itself is built.