inactive users in AD

Question

inactive users in AD

michael lustig 356

Hi everyone I would like to knew what the differentiate between 2 commands: 1)Search-ADAccount –AccountInActive -UsersOnly –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null |?{$.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName| Export-CSV “C:\Temp\InactiveUsers.CSV” –NoTypeInformation $date= (get-date).AddDays(-90) 2)Get-ADUser-Filter {LastLogonDate-lt $date} -Property Enabled|Where-Object {$.Enabled -like “true”} |SelectName,SamAccountName,DistinguishedName|Export-CSV “C:\Temp\InactiveUsers.CSV” -NoTypeInformation Because, It output differnt results/informations. Thanks

Accepted answer

4 additional answers

Your answer

Answer 1

I posted a corrected version of my code on 11 Apr. Did you see it? Did you try using it?

Assuming you haven't, here's the corrected script:

$date = (Get-Date).AddDays(-90) 
$fdate = $date.tofiletime()

$DCs = (Get-ADDomainController -Filter *).Name
$users = @{}
ForEach ($dc in $DCs) {
    Get-ADUser -Filter { enabled -eq 'true' -AND ((-not ( LastLogon -like "*")) -OR (LastLogon -lt $fdate)) } -Server $dc -Property LastLogon |
        ForEach-Object {
            if ($users.ContainsKey($_.sAMAccountname)) {
                    if ($users.($_.sAMAccountname)[0] -lt $_.LastLogon) {
                        $users.($_.sAMAccountname)[0] = $_.LastLogon
                    }
                }
                else {
                    $users[$_.sAMAccountname] = $_.LastLogon, $_.Name, $_.distinguishedName
                }
            }
        }
$users.GetEnumerator()|
    ForEach-Object{
        if ($null -ne $_.Value[0] -AND $_.Value[0] -gt 0){
            $last = [DateTime]::FromFileTime($_.Value[0])
        } 
        else {
            $last = 'Never'
        }
        [PSCustomObject]@{
            Name = $_.Value[1]
            SamAccountName = $_.Key
            DistinguishedName = $_.Value[2]
            LastLogon = $last
        }
    } | Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

Answer 2

Rich Matheisen 47,901

How are the two results different?

Do you have more than one Domain Controller?

The LastLogonDate is convenient way to use the LastLogontimestamp (which is a 64-bit integer that needs converting) -- but while that property is replicated between DCs, it's only replicated at a random interval between 14 and 21(?) days. Unless you examine every DC in the users' domain you have a good chance of using an obsolete value.
The LastLogon property is updated only on the DC that handled the logon. Again, you have to examine every DC in the users' domain to get the most recent one.

michael lustig 356 Reputation points

2023-04-18T06:52:38.0666667+00:00

Hi Rich Thanks for your respond. I ran this commands only on one DC server. When i ran the command Get-ADUser i got only results with LastLogon property and when i ran the second command(Search-ADAccount) i got results with LastLogon property and with empty LastLogon property. Maybe the second command(Search-ADAccount) scanning all DC servers?

Answer 3

Rich Matheisen 47,901

You're using the LastLogonDate in a filter. LastLogonDate is a calculated property that doesn't exist in the AD.

If you want to filter on the time the user last logged on you'll have to convert the variable $date to a FILE date/time and use the property LastLogonTimeStamp.

But that leaves you a problem: if the LastLogonTimeStamp is empty (because the user never logged on) you can't use in in a comparison. So you have to check for the absence of a value (which is probably what the Search-ADAccount is doing).

$date= (get-date).AddDays(-90) 
$fdate = $date.tofiletime()
Get-ADUser -Filter {(-not ( LastLogonTimeStamp -like "*")) -OR (LastLogonTimeStamp -lt $fdate)} -Property Enabled|
    Where-Object {$_.Enabled -like "true"} |
        Select-Object Name,SamAccountName,DistinguishedName |
            Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

Also, you should add the "enabled" test to the filter. Why return disabled users if you're going to eliminate them??

michael lustig 356

Hi Rich Thanks for your respond In other words you recommend me to use this script(your script):

$date= (get-date).AddDays(-90) 
$fdate = $date.tofiletime()
Get-ADUser -Filter {(-not ( LastLogonTimeStamp -like "*")) -OR (LastLogonTimeStamp -lt $fdate)} -Property Enabled|
    Where-Object {$_.Enabled -like "true"} |
        Select-Object Name,SamAccountName,DistinguishedName |
            Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

to find all users(in all DC servers) don't login at least 90 days?

Rich Matheisen 47,901 Reputation points

2023-04-20T13:43:49.2633333+00:00

Am I recommending that? No. I was just answering your question: "I would like to knew [sic] what the differentiate [sic] between 2 commands".

Using the Search-ADAccount cmdlet is easier to code and to understand, the code I submitted is just a way achieve the same result using the Get-ADUser cmdlet.
michael lustig 356 Reputation points

2023-04-23T13:11:24.2766667+00:00

Ok...when i ran these commands i got difference results...when i ran the command with get-aduser i got around xxx users and when i ran the command with Search-ADAccount i got around yyy users. why user who login to his computer will get empty "LastLogonDate"?
Rich Matheisen 47,901 Reputation points

2023-04-23T15:09:38.9+00:00

Local logons (i.e., workgroup) don't involve a domain controller.

Answer 4

Rich Matheisen 47,901

I don't think you ever confirmed whether you have more than on domain controller. Do you? If you do, try running this:

$date = (Get-Date).AddDays(-90) 
$fdate = $date.tofiletime()

$DCs = (Get-ADDomainController -Filter *).Name
$users = @{}
ForEach ($dc in $DCs) {
    Get-ADUser -Filter { enabled -eq 'true' -AND ((-not ( LastLogon -like "*")) -OR (LastLogon -lt $fdate)) } -Server $dc -Property LastLogon |
        ForEach-Object {
            if ($users.ContainsKey($_.sAMAccountname)) {
                    if ($users.($_.sAMAccountname)[0] -lt $_.LastLogon) {
                        $users.($_.sAMAccountname)[0] = $_.LastLogon
                    }
                }
                else {
                    $users[$_.sAMAccountname] = $_.LastLogon, $_.Name, $_.distinguishedName
                }
            }
        }
$users.GetEnumerator()|
    ForEach-Object{
        if ($null -ne $_.Value[0] -AND $_.Value[0] -gt 0){
            $last = [DateTime]::FromFileTime($_.Value[0])
        } 
        else {
            $last = 'Never'
        }
        [PSCustomObject]@{
            Name = $_.Value[1]
            SamAccountName = $_.Key
            DistinguishedName = $_.Value[2]
            LastLogon = $last
        }
    } | Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

EDIT: I posted the original (not at all correct) script. The answer now contains the working script.

michael lustig 356 Reputation points

2023-04-24T06:34:46.86+00:00

My computer is part of my DC...I am login to my computer every day but the LastLogonDate property is empty. Maybe i don't understand your question.. i have 3 DC servers.. 2 prod and 1 DMZ
Rich Matheisen 47,901 Reputation points

2023-04-24T14:30:03.8466667+00:00

Your domain login is handled by A domain controller in your users' AD domain. That DC needn't be the one attached to its keyboard.

Given that the LastLogonTimestamp is not replicated amongst your DCs it's not surprising that the property on one of the DCs isn't populated. When you use the Get-ADUser cmdlet without specifying a unique DC, one is chosen at random.

If you want accurate reporting you MUST query each DC in the user accounts' domain and select, in this case, latest date from each DC.
michael lustig 356 Reputation points

2023-04-25T06:44:14.33+00:00

Hi Rich I ran this script on my dc server. my output was very strange... more than 2000 users never logon to their computer. How is can possible?
Rich Matheisen 47,901 Reputation points

2023-04-25T15:34:02.47+00:00

This is embarrassing . . . I posted the wrong script. I wrote the one I posted on a machine that's not a domain member, moved that to a DC and debugged/corrected is there. Then I posted the original script from the workgroup machine (the one with all the original mistakes . . . the incorrect property name, the incorrect subscripts, etc.)!

I'll correct the code in the answer I gave earlier.

Please accept my apology.

Answer 5

Gary Nebbett 6,216

Hello All,

There may be several strands of questions and answers intermingled in this thread. Here is my attempt to untangle some of them.

The various PowerShell cmdlets in the ActiveDirectory module use and combine lower-level APIs to present a simplified and scripting-friendly interface to Active Directory Domain Services. Three ways of comparing/differentiating apparently "similar" cmdlets are:

Read and compare the documentation carefully.
Reverse engineer the cmdlets and understand at the implemenation-level their differences.
Perform several tests of the cmdlets and speculate about the differences.

Each attribute/property in AD/LDAP has a SystemFlags attribute in the schema which indicates, among other things, whether the attribute/property is replicated or constructed.

Most attributes are replicated but "lastLogon" is one of the few which are not.

Some attributes are "constructed" (not saved explicitly in the directory but are constructed/calculated by the LDAP server); "canonicalName" and "tokenGroups" are examples of such attributes. I mention this because "LastLogonDate" has been called a calculated attribute, but this "calculation" is purely internal to the PowerShell cmdlet (just an alternative "presentation" of the "lastLogonTimestamp" attribute).

There is another attribute/property that might be helpful in this case: msDS-LastSuccessfulInteractiveLogonTime.

The LDAP interactions between client and server can be traced with ETW (Event Tracing for Windows) by using the Microsoft-Windows-LDAP-Client provider. Some registry settings are needed to get the most out of this provider but even without them some useful summary information is available. Such traces could help understand differences in results between PowerShell cmdlets; for each search issued, the following is logged:

1 ScopeOfSearch = 2 
2 SearchFilter = (anr=gary) 
3 DistinguishedName = dc=home,dc=org 
4 AttributeList = lastLogonTimestamp;msDS-LastSuccessfulInteractiveLogonTime 
5 ProcessId = 0x6CC

Gary

michael lustig 356 Reputation points

2023-04-24T12:33:15.93+00:00

Hi Gary Thanks for your response. I have several DC servers.. if i want to get the "lastLogon" property of all users... i Have to run the get-aduser on each DC server? How can i get this info?: "1 ScopeOfSearch = 2 2 SearchFilter = (anr=gary) 3 DistinguishedName = dc=home,dc=org 4 AttributeList = lastLogonTimestamp;msDS-LastSuccessfulInteractiveLogonTime 5 ProcessId = 0x6CC "
Gary Nebbett 6,216 Reputation points

2023-04-24T13:30:05.5033333+00:00

Hello Michael,

The main thrust of your questions seems to have been: why does the output of two different PowerShell cmdlets differ. As Rich and I have pointed out, implementation knowledge of the cmdlets is needed to answer this question with confidence.

My suggestion to you is to investigate whether msDS-LastSuccessfulInteractiveLogonTime is a suitable compromise between querying lastLogon on each DC (lastLogon is updated under more circumstances than msDS-LastSuccessfulInteractiveLogonTime ) and querying lastLogonTimestamp (infrequently replicated).

You can obtain the info I mentioned by starting the Microsoft-Windows-LDAP-Client ETW trace provider with any of the myriad commands or PowerShell cmdlets that do this type of thing (e.g. logman, pktmon, "netsh trace", etc.).

Gruss aus Basel.

Gary
Rich Matheisen 47,901 Reputation points

2023-04-24T14:40:16.9533333+00:00

To answer the question "if i want to get the "lastLogon" property of all users... i Have to run the get-aduser on each DC server", the answer is "YES" if you want an accurate view if an AD property that is NOT REPLICATED among domain controllers. The answer to your question "How can i get this info?" is found in the example code I posted on 23 Apr.
michael lustig 356 Reputation points

2023-04-25T05:09:55.6566667+00:00

Rich Thanks

michael lustig 356

Hi Rich I tried to run this script:

$date= (get-date).AddDays(-90) 
$fdate = $date.tofiletime()
Get-ADUser -Filter {(-not ( LastLogonTimeStamp -like "*")) -OR (LastLogonTimeStamp -lt $fdate)} -Property Enabled|
    Where-Object {$_.Enabled -like "true"} |
        Select-Object Name,SamAccountName,DistinguishedName |
            Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

On each DC server..and i didn't get "LastLogonTimeStamp" or "LastLogonDate" property..the property was empty. I tried to run also this script:

$date = (Get-Date).AddDays(-90) 
$fdate = $date.tofiletime()

$DCs = (Get-ADDomainController -Filter *).Name
$users = @{}
ForEach ($dc in $DCs) {
    Get-ADUser -Filter { enabled -eq 'true' -AND ((-not ( LastLogonTimeStamp -like "*")) -OR (LastLogonTimeStamp -lt $fdate)) } -Server $dc -Property LastLogonTimeStamp |
        ForEach-Object {
            if ($users.ContainsKey($_.sAMAccountname)) {
                    if ($users.($_.sAMAccountname)[0] -lt $_.LastLogonTimeStamp) {
                        $users.($_.sAMAccountname)[0] = $_.LastLogonTimeStamp
                    }
                }
                else {
                    $users[$_.sAMAccountname] = $_.LastLogonTimeStamp, $_.Name, $_.distinguishedName,$_.LastLogonDate
                }
            }
        }
    $users.GetEnumerator()|
        ForEach-Object{
            if ($null -ne $_.Value[3]){
                $last = [DateTime]::FromFileTime($_.Value[3])
            } 
            else {
                $last = 'Never'
            }
            [PSCustomObject]@{
                Name = $_.Value[1]
                SamAccountName = $_.Key
                DistinguishedName = $_.Value[2]
                LastLogonTimestamp = $last
            }
        } | Export-CSV "C:\Temp\InactiveUsers.CSV" -NoTypeInformation

but a same thing i didn't get helpfull info.

Gary Nebbett 6,216 Reputation points

2023-04-25T08:29:26.5466667+00:00

Hello Michael,

The attribute that needs to be gathered from each DC is lastLogon, not lastLogonTimestamp.

See https://www.active-directory-faq.de/2021/01/lastlogon-vs-lastlogontimestamp/

Gary
michael lustig 356 Reputation points

2023-04-25T08:59:43.37+00:00

Hi Gary Ok...but some users come with empty lastLogon property( i ran the script on both DC servers).
Gary Nebbett 6,216 Reputation points

2023-04-25T09:09:38.7133333+00:00

Hello Michael,

As Rich, I and the article have all tried to explain, lastLogon will only be updated on the DC used to authenticate the account - this DC is normally the "nearest" DC; some DCs might never be used by a particular user.

The process of iterating over the DCs and collecting the most recent lastLogon, regarding an absent lastLogon as "never", should give a good view of the newest domain-wide lastLogon time.

Gary
Rich Matheisen 47,901 Reputation points

2023-04-25T15:46:36.0866667+00:00

The wrong property wasn't the only problem in the code I originally posted . . . it was the original/buggy version. I replaced the code in my earlier answer with the debuged version. :-(

IIRC, the "nearest" DC won't be the DC you logged on to.
Gary Nebbett 6,216 Reputation points

2023-04-25T17:01:23.12+00:00

Hello Rich,

No issue for me with regard to the code posted - even the original version demonstrated the idea of iterating over the DCs and choosing the most useful response.

What interests me more is your "IIRC" remark. My "IIRC" is that we are both retired (for some time now in my case), but my topic specific recollection is that a binding to the nearest KDC is established (viewable by "klist /query_bind") with the DsGetDcName API or similar being used to find the KDC.

I have some vague recollection that some "weighting" can be applied to the process, but I would need to research that.

Implicit in the above is the assumption that Kerberos is being used for authentication.

Gary
Rich Matheisen 47,901 Reputation points

2023-04-25T18:08:16.34+00:00

Retired in 2014.

Login to a domain also requires a Global Catalog Server. And the "weight" of site connectors, I think, is the determination of "closest". I forget how the selection is made within the same site. Maybe it's random, and maybe the maybe the API is called with the flag that says not to choose yourself? It's all getting blurrier and blurrier.
michael lustig 356 Reputation points

2023-04-27T08:54:04.46+00:00

Hi Rich and Gary

Am i right ,every user is using the closest DC sever for login?

Am i need to looking for "LastLogonTimeStamp" or "LastLogon" property?

I ran this command:

Get-AdUser -Filter * -Properties * | Where-Object {$.LastLogonDate -lt (Get-Date).AddDays(-90) -and $.Enabled -like "true"} | Select DisplayName,@{Name='LastLogon';Expression={[DateTime]::FromFileTime($.LastLogon)}},LastLogonDate,@{Name='LastLogonTimestamp';Expression={[DateTime]::FromFileTime($.LastLogonTimestamp)}} | Export-Csv C:\Temp\InactiveUsers2.CSV -Encoding UTF8

I got good info, but some users come with wrong info:

LastLogOnTimeStamp/LastLogOn: 1/1/1601

It is not possible, this user login to computer today morning.
Gary Nebbett 6,216 Reputation points

2023-04-27T10:18:06.3066667+00:00

Hello Michael,

"every user" is too strong a statement. In a properly configured domain, where site and subnet information is maintained, users probably use a DC near to them (subject to explicit weighting of DCs); it obviously makes no sense (and wastes time) to use a DC in Adelaide Australia if you are sitting in Frankfurt and there is a DC in that city. If a user logs on to a remote desktop in Moscow, they will probably use another DC there. All of these qualifications means that you can't base any reliable assumptions on DC locality.

Gary
michael lustig 356 Reputation points

2023-04-27T10:25:48.25+00:00

Thanks Gary.. but i need reliable info for my boss.

Do you have a script or command to run on my DC server( I have 2 DC servers in my organization).

I need info about all users who don't login to computer at least 90 days.
michael lustig 356 Reputation points

2023-04-30T05:35:08.4433333+00:00

Thanks for your script.

Share via

inactive users in AD

4 additional answers

Your answer