A little while back I was working at an enterprise that has many locations across the United States. I had a list of 30 usernames (from one specific out-of-state location) and a couple brand-new test accounts that I wanted to report on their “last logon times” from the Active Directory domain. I put together a quick PowerShell script to loop through each user and report on the “lastLogon” time and I had (what I thought were) my results in no-time. Here is a snippet of the code:
Get-ADUser $UserNameToSearch | Get-ADObject -Properties lastLogon
First, I opened up an RDP session to a domain workstation that I had access to at the out-of-state location that I was working with at the time and I went ahead and logged in with my test user. I waited a few minutes for the replication to occur back to my location’s domain controller and then I ran the script from my local workstation. Surprisingly, there were no results reported for that test account, but there were current up-to-date results for 95% of the users who were on my list that are said to work at that same location.
So I logged out, logged back in, waited, and ran the script again. Still, no “logon time” results for my test user account.
I did a few minutes of research on the “lastLogon” attribute and then I discovered I was searching the wrong attribute, per Microsoft’s MSDN Attribute Library which states: “This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user’s last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.“ But since the enterprise I was working with had more domain controllers than I could count on one hand so I chose to find a simple alternative.
After a few more minutes of research I then found the attribute that is replicated across all domain controllers, the “lastLogonTimeStamp” attribute. I updated my script to:
Get-ADUser $UserNameToSearch | Get-ADObject -Properties lastLogonTimeStamp
I then had the results that I expected and I carried on with my day.
Hopefully this experience will save you time and effort!