Finding Stale Computers in AD forest

4_lom4_lom Member Posts: 485
in Off-Topic
Does anyone know of a way to report the last logon user and date they logged on for each computer in a domain?
Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

· Share on FacebookShare on Twitter

Comments

  • LeifAlireLeifAlire Member Posts: 106
    dsquery computer -inactive 4 < this command shows you computers that haven't connected in last 4 weeks. Change the number to match what you need.
    2015 Goals: VCP-550 - CISA - 70-417
    · Share on FacebookShare on Twitter
  • 4_lom4_lom Member Posts: 485
    LeifAlire wrote: »
    dsquery computer -inactive 4 < this command shows you computers that haven't connected in last 4 weeks. Change the number to match what you need.

    Thanks but that's not really what I'm looking for. I need to create a report of all computers in a domain, with the last user that logged in and the time/date that they were logged in.
    Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

    · Share on FacebookShare on Twitter
  • QordQord Member Posts: 632 ■■■■□□□□□□
    I think you'd have to query every single computer individually for that, I don't think AD keeps track of that info by default. Easiest way would probably be to pull the info from the event logs.
    · Share on FacebookShare on Twitter
  • netBoogernetBooger Member Posts: 45 ■■□□□□□□□□
    Qord is correct. You would have to query each individual system to gather that information. Active Directory will tell you when the last time a user logged on but won't tell you the last user that logged onto a machine.

    Take a look at Get the last user logged in (Powershell) | SignalWarrant.com and it should give you what you want.

    If you don't know PowerShell or need help on how to run it let me know.
    · Share on FacebookShare on Twitter
  • GLaD0S11GLaD0S11 Member Posts: 12 ■□□□□□□□□□
    You can find some of this information in ADSI Edit, but I believe that you do have to go to each computer separately to find it. Open ADSI Edit, navigate to the computer you'd like to check, Right Click, Select Properties, find the "Last Logon Time" (or something like that).


    Maybe someone else could shed some light on how to find out which user specifically logged in last because I don't think ADSI Edit shows you that info. I could be remembering it wrong though because it's been awhile since I was in there.
    · Share on FacebookShare on Twitter
  • QordQord Member Posts: 632 ■■■■□□□□□□
    Try this, replace the ldap string with whatever applies to you. I do things like this too, but I go OU by OU as it's easier to manage that way. In this I chose to pull the last 3 logins in the last 30 days, but you can change that... Keep in mind that this counts as a login, so if you run it twice, you'll see you as the last user. I also have it ping the machine first so no time is wasted waiting for an attempted connection to time out.
    $ou = [ADSI]"LDAP://OU=STAFFOU,OU=Workstations,DC=herp,DC=gov"
    $Date = [DateTime]::Now.AddDays(-30)
    foreach ($strComputer in $ou.psbase.Children)
    {
    $Computer = $strComputer.name
    if (Test-Connection -ComputerName $Computer -Count 1 -Quiet -EA 0)
    {
    $Date.tostring("MM-dd-yyyy"), $Computer
    $eventList = @()
    Get-EventLog "Security" -computername $Computer -After $Date `
    | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
    | select -first 3 `
    | foreach-Object {
    $row = "" | Select UserName, LoginTime
    $row.UserName = $_.ReplacementStrings[5]
    $row.LoginTime = $_.TimeGenerated
    $eventList += $row
    }
    $eventList
    write-host ""
    }
    else
    {
    Write-Host "Couldn't ping $Computer so no logon data available." -BackgroundColor RED -ForegroundColor White
    write-host ""
    }

    }
    · Share on FacebookShare on Twitter
Sign In or Register to comment.