Get users who haven’t logged in longer than X days (LastLogonDate)

lastlogondate

Find out how to get users who haven’t logged in longer than X days. In today’s post, I wanted to share a simple Active Directory inventory script. It is using AD module commands and saving results into a CSV file.

LastLogonDate

This script might be useful in getting users that haven’t logged for a longer amount of time. It is checking lastlogondate property:

Get-ADUser -Identity $Env:username -Properties 'Name','Enabled','WhenCreated','LastLogonDate','lastlogontimestamp','PasswordExpired'
lastlogondate

Please be aware that it gets a date only from the specified Domain Controller. In this case, I added a logon server in the server parameter and I was looking only for enabled users in People OU. Similarly like in previous article I used LDAP Filter:

LDAPFilter = “(&(objectclass=user)(useraccountcontrol=512)(lastlogontimestamp<=$LastLogon))”

$LastLogon   = (Get-Date).AddDays(-30).ToFileTime()
$Params = @{
            LDAPFilter   = "(&amp;(objectclass=user)(useraccountcontrol=512)(lastlogontimestamp<=$LastLogon))"
            Server       = ($env:LOGONSERVER -replace "\\",'')
            SearchBase   = 'OU=People,DC=powershellbros,DC=com'
            Properties   = 'Name','Enabled','WhenCreated','LastLogonDate','lastlogontimestamp','PasswordExpired'
        }
 

Get-ADUser @Params | Select  Name, Enabled, whenCreated, lastlogondate, PasswordExpired

Below you can find the final script for getting users who haven’t logged in longer than 30 days. It will save results to CSV file on your desktop and finally, in the end, it will open results in a new pop-up window.

        #Import Modules ##########################################################         
        Try{
            Import-Module ActiveDirectory -ErrorAction Stop
        }
        Catch{
            Write-Warning $_.Exception.Message
            Read-Host "Script will end. Press enter to close the window"
            Exit
        }
 
 
        #Params ##################################################################
        $LastLogon   = (Get-Date).AddDays(-30).ToFileTime()
        $ReportPath  = "$env:userprofile\desktop\"
        $FileDate    = Get-Date -Format "yyyyMMddHHmmss"
        $OutputCsv   = "$ReportPath\LastLogonDate_users_$FileDate.csv"  
 
 
        # Query params ############################################################## 
        $Params = @{
            LDAPFilter   = "(&amp;(objectclass=user)(useraccountcontrol=512)(lastlogontimestamp<=$LastLogon))"
            Server       = ($env:LOGONSERVER -replace "\\",'')
            SearchBase   = 'OU=People,DC=powershellbros,DC=com'
            Properties   = 'Name','Enabled','WhenCreated','LastLogonDate','lastlogontimestamp','PasswordExpired'
        }
 
 
        #Get all ENABLED users from OU ####################################
        Get-ADUser @Params | Select Name,
                                    Enabled,
                                    whenCreated,
                                    lastlogondate,
                                    PasswordExpired | Export-Csv $OutputCsv -NoTypeInformation  
 
 
        #Import CSV and display results ##########################################
        Import-CSV $OutputCsv | Out-GridView -Title 'Users > 30days'

I hope it was informative for you 🙂 See you in the next articles.

2 thoughts on “Get users who haven’t logged in longer than X days (LastLogonDate)

  1. I get a error: Get-ADUser : The supplied distinguishedName must belong to one of the following partition(s): ‘DC=sgdcelab,DC=sabre,DC=com , CN=Configuration,DC=sgdcelab,DC=sabre,DC=com ,
    CN=Schema,CN=Configuration,DC=sgdcelab,DC=sabre,DC=com , DC=DomainDnsZones,DC=sgdcelab,DC=sabre,DC=com , DC=ForestDnsZones,DC=sgdcelab,DC=sabre,DC=com’.
    At line:10 char:1
    + Get-ADUser @Params | Select Name, Enabled, whenCreated, lastlogondat …
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ADUser], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

  2. Your code makes assumptions to learners that may not understand. You cannot assume UAC will always be 512. It can be other values and an account will still be disabled – this is because its only bit 2 that identifies whether an account is enabled or disabled.

    Suggest you replace this with (userAccountControl:1.2.840.113556.1.4.803:=2) for disabled
    (!userAccountControl:1.2.840.113556.1.4.803:=2) for enabled.

    The only thing that determines whether an account is disabled or enabled is bit 2 of the UAC….. This suggestion above is providing you with an LDAP Logical and of Bit 2 in the UAC – which will get you all UAC status values that are enabled/disabled.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.