HOWTO : Find all users in Active Directory who haven’t logged in longer than 90 days

0 Flares 0 Flares ×

powershell-icon-152-191890Here comes another howto. I was asked few times to find users that haven’t logged to the domain for a defined amount of time, that I decided write few words how to handle it. The easiest way to achieve that is use of “Saved Queries” in Active Directory Users and Computers console. To do that you simply right-click on the “Saved Queries”, choose New->Query


Then you simply type the name of the query, you can also define specific OU for that and click define query. In the common queries, in the bottom you can choose to find users who has not logged on for some amount of time, counted in days.


It’s the easiest way to find the users … However I would like to have a list in let say CSV file. Here comes the powershell … again.

So let’s start from the begining. In Active Directory each user object has a lot of attributes, in 2 of them one can find users last logon time. These attributes are : lastlogon and lastologontimestamp. Why there are 2 attributes for a one specific data. The difference between these 2 attributes is that “lastlogon” is not replicated across the active directory, which means that it’s AD object last logon date on the specific domain controller. So if I want to find the last logon date of the user I should check the value of “lastlogon”attribute in every domain controller in the domain and take the newest value.  Here will help “Lastlogontimestamp”attribute, this one is the one which is replicated in AD. “Lastlogontimestamp” attribute is updated only when the current value of the attribute is older than current time minus the value of “msDS-LogonTimeSyncInterval” AD attribute. More information about the differences you can find in Morgan’s artictle on the following link :

So I will use “lastlogontimestamp” AD attribute to  find users who have not been logged on longer than 90 days.  The problem that datatype of this attribute is Integer8 type, so I need to convert it to a readable datetime format. But first the powershell command for the users, after that I will explain the syntax. To run this successfully you need to import ActiveDirectory powershell module

So first part is

I’m enumerating all users in the “tda.internal” domain and I’m also collecting two Active Directory attributes : DisplayName and lastlogontimestamp, becuase they are not included by default in command returned object.

After the pipe comes the magic – “?” – is for “where” word in powershell, then I’m using Get-date function to obtain current date from which I’m substracting the “lastlogontimestamp” attribute value, converted to the datetime format using the .Net [System.Datetime] function “FromFiletime”. As returned value I’m receiving object and I’m getting the “TotalDays” value. I’m checking if this value is greater than 90 (days). So I have already all users who have not logged longer than 90 days, now I just need to collect user attributes I need. For that I’m using select-object function

I’m also converting the lastlogontimestamp value to the readable datetime format. And at the end I’m exporting all the data to the csv file using “;” as a delimiter

So that’s it. I hope it will help you in your work, thanks for reading. If you have any questions feel free to contact me.

0 Flares LinkedIn 0 Google+ 0 Facebook 0 Twitter 0 0 Flares ×

4 thoughts on “HOWTO : Find all users in Active Directory who haven’t logged in longer than 90 days

  1. Hello Guys! I need some help please I have to identify Users that has been activated for more than 30 days but has never been logged into must be disabled.
    I have this part of the code but I need the other part to calculate the day’s. (I tried to make this part of the days calculation but it can’t work: Get-ADUser -filter * -Properties logonCount,whencreated | Where { $_.lastlogondate -lt (Get-Date).TotalDays -gt 30 }).

    $Usr_NoLogin=Get-ADUser -Filter * -SearchBase “OU=Pruebas,OU=Usuarios,OU=AXA Mexico,DC=ASEFI,DC=MEX” -Properties * | Select SamAccountName,DistinguishedName,@{Name=”LastLogon”;Expression={[datetime]::FromFileTime($_.”lastlogon”)}},@{Name=”LastLogin”;Expression={[datetime]::FromFileTime($_.”lastlogon”).ToString(‘dd-MM-yyyy H:mm:ss’)}} | ? {$_.LastLogon -lt ((Get-Date).AddDays(-30)) -And $_.LastLogin -ne “31-12-1600 19:00:00”}
    Get-ADUser -Filter * -SearchBase “DC=ASEFI,DC=MEX” -Properties * |where {$_.logonCount -lt 1} |select Name,logonCount,SamAccountName, whencreated |Format-Table

  2. Hi,

    I assume this should do the job for you

    Get-ADUser -filter * -Properties -searchBase "OU distinguishedName" SamAccountName,DistinguishedName,logonCount,whencreated | Where { ($_.whenCreated -lt (Get-Date).AddDays(-30)) -and ($_.logonCount -le 0) } | select SamAccountName,DistinguishedName,logonCount,whencreated | export-csv accounts.csv

    If it doesn’t, don’t hesitate to contact me 🙂

  3. Hello! Could U delete my last post please, cos I forgot take out some secure information. I going to be in troubles about it. Please!.

  4. Thank You dear Ur advice helped me to much. I’m in troubles about the next part . I have to deactivate the finded accounts. But I have Doubts in the code structure .
    🙁 I’m new in this could You help me please. Reagards.

    Get-ADUser -Filter * -SearchBase “DC=x,DC=x1 -Properties * | Where { ($_.whenCreated -lt (Get-Date).AddDays(-30)) -and ($_.logonCount -le 0) } | select SamAccountName,DistinguishedName,logonCount,whencreated | export-csv accounts.csv
    $Usr_NoLogin | Foreach {
    Move-ADObject $_.DistinguishedName -TargetPath “OU=xx ,OU=U1,OU=xx ,DC=x,DC=x1”
    Set-ADUser $_.SamAccountName-Enabled $False}
    $Usr_NoLogin |Format-Table -Force| export-csv accounts.csv
    -InputObject $Usr_NoLogin |ft -AutoSize

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.