BLOG
Wissenstransfer von IT-Spezialisten
| |

Last Logon Time / Authentication of a AD or Service User Account – #Powershell

Sometimes it is helpful to know when an AD user or an AD function account has been authenticated the last time. After some failed attempts with „LastLogonDate“ I found the correct value in the „LastLogon“ property. This value is not replicated between the domain controllers. In addition, it is a not a readable date (it’s in ticks).

The following script determines the latest authentication of an account on all domain controller in a domain (one-liner):

1
([DateTime][long]($(ForEach ($dc in ((get-addomaincontroller -filter *).name)){(Get-ADUser -Identity "<userlogonname>" -Properties "LastLogon" -server $dc).LastLogon}) | Measure -Maximum).Maximum).AddYears(1600)

Or somewhat clearer:

1
2
3
4
5
6
([DateTime][long](
    $(ForEach ($dc in ((get-addomaincontroller -filter *).name))
    {
        (Get-ADUser -Identity "<userlogonname>" -Properties "LastLogon" -server $dc).LastLogon
    }
) | Measure -Maximum).Maximum).AddYears(1600)

Sample:

See also:

Christopher Ream – Understanding the AD Account attributes – LastLogon, LastLogonTimeStamp and LastLogonDate