Last logon and Never logon

PowerShell Help
1

Hello,

I am trying to identify accounts that are enabled but have not had any logon activity for the past 180 days. I also want to target the accounts that are enable but have never had a logon date, (New Accounts that are set to “User must change password at next logon”) for the same 180 day time frame. Below is the code I have but I believe I am missing the the accounts that are set to “User must change password at next logon”.

Any advice?

Get-ADUser -Filter {((Enabled -eq $true) -and (LastLogonDate -lt $date))} -Properties * | select samaccountname,Name,Title,Department,Company,Manager,LastLogonDate,LastLogon,description,DistinguishedName | Sort-Object LastLogonDate

2

Firstly, when posting code in the forum, please can you use the preformatted text </> button. It really helps us with readability, and copying and pasting your code (we don’t have to faff about replacing curly quote marks to get things working).

You have a few options, here’s a couple but there are other ways to query this.
If the user has never logged on, LastLogonDate won’t be populated and you can check for that with LastLogonDate -notlike '*'.
If the user has never changed their password, then the AD attribute to check is PasswordLastSet. PasswordLastSet -eq 0 will return True if the password has never been set.

You can use splatting to tidy up your code and avoid long lines:

$date = (Get-Date).AddDays(-180)

$query = @{
    Filter = {((Enabled -eq $true) -and
              ((LastLogonDate -lt $date) -or (LastLogonDate -notlike '*')))}

    Properties = @(
       'sAMAccountName',
       'Name',
       'Title',
       'Department',
       'Company',
       'Manager',
       'LastLogonDate',
       'LastLogon',
       'Description',
       'DistinguishedName'
    )
}

Get-ADUser @query | Select-Object $query.properties
2 Likes
3

This is great. I am wondering would it be possible for the accounts that the password has never been set or returns as “0” can we idneitify how old the account is or when it was created?

4

Just add WhenCreated to the list of properties.

5

What does this column mean? image
Does the 0 mean the user never has logged on and set a password. I see some show “132538050322019000” characters. Is this a date?

6

LastLogon is updated on the domain controller that the user authenticates against. It is not replicated. It being 0 does not mean the user has never logged on* to the domain, just that they never authenticated against that DC.

It is indeed a date, and it can be converted to something a bit more friendly like this:

[datetime]::FromFileTime('132538050322019000')
30 December 2020 12:30:32

*It would mean they’ve never logged on if you’ve got only one DC, but no one has only one in DC in prod, do they?

7

So really in a environment with multiple DC’s is LastLogon even helpful?

8

Questions like this have been asked and have been answered thousand times before. Please use your favorite internet search engine to find some more information about the issue. There are even a lot of PowerShell code examples out there to query all DCs in a domain to get reasonable results.

9

Such as this helpful community member :innocent:

1 Like
10

@krzydoug, that switch statement is very clever :clap:.

11

Thanks Matt. I learned lots of tricks from smart people like you, Olaf, Etc.