HOWTO : Find all users in Active Directory who haven’t logged in longer than 90 days

0 Flares 0 Flares ×

powershell-icon-152-191890Here comes another howto. I was asked few times to find users that haven’t logged to the domain for a defined amount of time, that I decided write few words how to handle it. The easiest way to achieve that is use of “Saved Queries” in Active Directory Users and Computers console. To do that you simply right-click on the “Saved Queries”, choose New->Query


Then you simply type the name of the query, you can also define specific OU for that and click define query. In the common queries, in the bottom you can choose to find users who has not logged on for some amount of time, counted in days.


It’s the easiest way to find the users … However I would like to have a list in let say CSV file. Here comes the powershell … again.

So let’s start from the begining. In Active Directory each user object has a lot of attributes, in 2 of them one can find users last logon time. These attributes are : lastlogon and lastologontimestamp. Why there are 2 attributes for a one specific data. The difference between these 2 attributes is that “lastlogon” is not replicated across the active directory, which means that it’s AD object last logon date on the specific domain controller. So if I want to find the last logon date of the user I should check the value of “lastlogon”attribute in every domain controller in the domain and take the newest value.  Here will help “Lastlogontimestamp”attribute, this one is the one which is replicated in AD. “Lastlogontimestamp” attribute is updated only when the current value of the attribute is older than current time minus the value of “msDS-LogonTimeSyncInterval” AD attribute. More information about the differences you can find in Morgan’s artictle on the following link :

So I will use “lastlogontimestamp” AD attribute to  find users who have not been logged on longer than 90 days.  The problem that datatype of this attribute is Integer8 type, so I need to convert it to a readable datetime format. But first the powershell command for the users, after that I will explain the syntax. To run this successfully you need to import ActiveDirectory powershell module

So first part is

I’m enumerating all users in the “tda.internal” domain and I’m also collecting two Active Directory attributes : DisplayName and lastlogontimestamp, becuase they are not included by default in command returned object.

After the pipe comes the magic – “?” – is for “where” word in powershell, then I’m using Get-date function to obtain current date from which I’m substracting the “lastlogontimestamp” attribute value, converted to the datetime format using the .Net [System.Datetime] function “FromFiletime”. As returned value I’m receiving object and I’m getting the “TotalDays” value. I’m checking if this value is greater than 90 (days). So I have already all users who have not logged longer than 90 days, now I just need to collect user attributes I need. For that I’m using select-object function

I’m also converting the lastlogontimestamp value to the readable datetime format. And at the end I’m exporting all the data to the csv file using “;” as a delimiter

So that’s it. I hope it will help you in your work, thanks for reading. If you have any questions feel free to contact me.

0 Flares LinkedIn 0 Google+ 0 Facebook 0 Twitter 0 0 Flares ×

2 thoughts on “HOWTO : Find all users in Active Directory who haven’t logged in longer than 90 days

  1. I have a question, about the following information

    Lastlogon 23-04-14
    Lastlogontimestamp 31-01-14

    Which is the real date last logon?

    • Monica,

      In the dates you have provided, real last logon time is value of “lastLogon”, which is very good explained in this article in second example, but when I see the dates you wrote, I think that value of “msDS-LogonTimeSyncInterval” attribute is quite big or you have some problems in AD.

Leave a Reply

Your email address will not be published. Required fields are marked *