Options
Finding Stale Computers in AD forest
Does anyone know of a way to report the last logon user and date they logged on for each computer in a domain?
Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging
Comments
-
Options
LeifAlire
Member Posts: 106
dsquery computer -inactive 4 < this command shows you computers that haven't connected in last 4 weeks. Change the number to match what you need.2015 Goals: VCP-550 - CISA - 70-417 -
Options
4_lom
Member Posts: 485
dsquery computer -inactive 4 < this command shows you computers that haven't connected in last 4 weeks. Change the number to match what you need.
Thanks but that's not really what I'm looking for. I need to create a report of all computers in a domain, with the last user that logged in and the time/date that they were logged in.Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging -
Options
Qord
Member Posts: 632 ■■■■□□□□□□
I think you'd have to query every single computer individually for that, I don't think AD keeps track of that info by default. Easiest way would probably be to pull the info from the event logs. -
OptionsnetBooger
Member Posts: 45 ■■□□□□□□□□
Qord is correct. You would have to query each individual system to gather that information. Active Directory will tell you when the last time a user logged on but won't tell you the last user that logged onto a machine.
Take a look at Get the last user logged in (Powershell) | SignalWarrant.com and it should give you what you want.
If you don't know PowerShell or need help on how to run it let me know. -
OptionsGLaD0S11
Member Posts: 12 ■□□□□□□□□□
You can find some of this information in ADSI Edit, but I believe that you do have to go to each computer separately to find it. Open ADSI Edit, navigate to the computer you'd like to check, Right Click, Select Properties, find the "Last Logon Time" (or something like that).
Maybe someone else could shed some light on how to find out which user specifically logged in last because I don't think ADSI Edit shows you that info. I could be remembering it wrong though because it's been awhile since I was in there. -
OptionsQord
Member Posts: 632 ■■■■□□□□□□
Try this, replace the ldap string with whatever applies to you. I do things like this too, but I go OU by OU as it's easier to manage that way. In this I chose to pull the last 3 logins in the last 30 days, but you can change that... Keep in mind that this counts as a login, so if you run it twice, you'll see you as the last user. I also have it ping the machine first so no time is wasted waiting for an attempted connection to time out.$ou = [ADSI]"LDAP://OU=STAFFOU,OU=Workstations,DC=herp,DC=gov"
$Date = [DateTime]::Now.AddDays(-30)
foreach ($strComputer in $ou.psbase.Children)
{
$Computer = $strComputer.name
if (Test-Connection -ComputerName $Computer -Count 1 -Quiet -EA 0)
{
$Date.tostring("MM-dd-yyyy"), $Computer
$eventList = @()
Get-EventLog "Security" -computername $Computer -After $Date `
| Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
| select -first 3 `
| foreach-Object {
$row = "" | Select UserName, LoginTime
$row.UserName = $_.ReplacementStrings[5]
$row.LoginTime = $_.TimeGenerated
$eventList += $row
}
$eventList
write-host ""
}
else
{
Write-Host "Couldn't ping $Computer so no logon data available." -BackgroundColor RED -ForegroundColor White
write-host ""
}
}
