User Last Logon - not finding enough results

by TomKemp at 2012-10-30 03:19:00

I am using a script to get the LastLogon time for all Users and Workstations. This is a modified version of a script I found online. The code is:

$datetime = Get-Date -Format "yyyyMMddHHmmss";
$LastLoginFile = "$Env:USERPROFILE\MyScripts\LastLogin-$datetime.txt"

$searcher = New-Object DirectoryServices.DirectorySearcher([adsi]"")
$searcher.filter = "(&(objectCategory=person)(objectclass=user))"
$users = $searcher.findall()

Foreach($user in $users)
if($"lastLogon") -ne 0)
$a = [datetime]::FromFileTime([int64]::Parse($"lastLogon")))
"$($"name")) $a"
# "$($"name")) $a" | out-file $LastLoginFile -append

The problem is that this is only returning 505 entries.

I assume that this is due to the script not querying all of the Domain Controllers. We have 4 Domain Controllers in the central office and 15 Branch Offices, each with their own DC.

I would have expected this script to query all of them. Not sure how to determine if this is true.

We have 6050 Users, of whom about 4500 are active. Why are they not all being returned by this script?
by coderaven at 2012-10-30 06:22:34
First things first, I would recommend you change your LDAP filter to "(&(objectCategory=person)(objectclass=user)(lastlogon=))" then just start looping and changing from file time. Depending on your AD, it would be better to use lastlogontimestamp, that value is replicated. The lastlogon and lastlogontimestamp are the last "Interactive" logon. You are saying that you really have 19 domain controllers, using the lastlogon attribute you need to query all of them. There were some tools like DumpSec back in the day that would query all DCs and compare the lastlogon to get you a true value but the stress on the DCs was just not so great, this is one of the reasons for the lastlogontimestamp to replicate. Change to lastlogontimestamp and see if you get a better result. Just change your query to this "(&(objectCategory=person)(objectclass=user)(lastlogontimestamp=))", if that does not work it would be about time to upgrade your AD :).
by Klaas at 2012-10-30 09:12:17
Lastlogontimestamp is indeed replicated, but it’s not updated all the time so it is said not to be an accurate attribute. I’ve read a lot of different and complicated explanations for that. As I understand it, you can rely on it if you’re looking for users that are not logged in for months, but not if you want to know who logged in this morning.

In the Quest cmdlets there’s a -NotLoggedOnFor and -Inactive parameter for Get-QADUser, but I don’t know what attribute that uses.
If you want to use the LastLogon property you do have to query all domain controllers and find the most recent value for each user. It will be empty if a user has never logged on to that specific domain controller.
by Matt Hitchcock at 2012-12-27 21:44:57
Just adding to this, I think the LastLogonTimeStamp attribute was only introduced with the 2003 Functional Level, so it would also be handy to know what level you’re running at.