Lastlogon query in Active Directory

by Christopher.Ellis at 2013-02-14 07:23:59

What command syntax do I user for users lastlogon within 30 days ? Would the results vary if i run the query against a Domain controller and the user authenticates against another Domain Controller

I an new to powershell and not good at scripting. Thank you
by ArtB0514 at 2013-02-14 08:42:50
Use the lastLogonTimetamp property. It’s replicated, so you won’t need to check every domain controller. BUT, it’s not guaranteed to be accurate for less than about 2 weeks. As long as you only care about less than 30 days (rather than abolute accuracy) you won’t have any problems. See for more detail.
by Christopher.Ellis at 2013-02-14 10:25:13
You have enlighted me on the replication of AD, however i do not know the syntax to query in powershell, the link attachment mentions the properties of last logon however what would I type at the powershell prompt?
by ArtB0514 at 2013-02-14 11:26:20
You will need either the Quest ( or the Microsoft (part of the RSAT) active directory addins. Then a little script like this will collect the data for you:

Quest]$Since = (Get-Date).AddDays(-30).Date
$ActiveUsers = Get-QADUser | Where-Object {$.lastLogonTimestamp -lt $Since}[/powershell]

Microsoft RSAT]$Since = (Get-Date.AddDays(-30).Date
$ActiveUsers = Get-ADUser -Filter * | Where-Object {$
.lastLogonTimestamp -lt $Since}[/powershell]

Then you have to decide what you want to do with the collection of user information that has been stored in the $ActiveUsers array.

For more information about PowerShell and how to use it, I suggest that you check out and the books section link at the top of this page.
by Christopher.Ellis at 2013-02-19 09:16:13
I entered the following: get-aduser -filter * -property LastlogonTimeStamp

Sample results

DistinguishedName : CN=Sharon.Stull,OU=Head Office - 2713 Lancasterservices,DC=ca
Enabled : True
GivenName : Sharon
LastlogonTimeStamp : 130057575269700024
Name : Sharon.Stull
ObjectClass : user
ObjectGUID : 31869ab5-f5c4-496e-9f79-3e856d686c6c
SamAccountName : Sharon.Stull
SID : S-1-5-21-1140152784-10511339-5522801-4049
Surname : Stull
UserPrincipalName :

question how do i get LastlogonTimeStamp : 130057575269700024 to be read in a proper format?
by ArtB0514 at 2013-02-19 10:11:57
Sorry about that. Quest does the conversion for you. With the Microsoft tools, you need to do this:
The easiest way is probably to do a Select-Object for the properties that you want during the data collection phase:
$Since = (Get-Date.AddDays(-30).Date
$ActiveUsers = Get-ADUser -Filter * | Where-Object {$_.lastLogonTimestamp -lt $Since} |
Select SamAccountName,Enabled,GivenName,SurName,@{Name=‘Last Logon’;Expression={[System.DateTime]]
and add any other properties you need to that comma separated list.