The function covered in this blog post is part of my Active Directory Domain Services Section tool, which has been published in 2018. After some time, I decided to create an explicit function for each item of my tool for those who are not interested in using my tool which offers much more than querying domain users last logon. And here is item 16 of my tool: Querying AD user last logon.
Get-ADUserLastLogon
Get-ADUserLastLogon gets the last logon timestamp of an Active Directory user. Each domain controller is queried separately to calculate the last logon from all results of all DCs.
The function includes only one parameter. Provide the user logon name (SamAccountName). You will also see which domain controller reports the most current logon of the user.
Get-ADUserLastLogon -UserLogonName patrick
If a non-existent user name is entered, the function terminates.
If there are no logon reports of a user, the function will display the following message.
The function will also work in PowerShell 7 and above.
If you like it, have a look at my Download Section to download the *.ps1 file or copy the code below.
The Code
function Get-ADUserLastLogon {
# .SYNOPSIS
# Get-ADUserLastLogon gets the last logon timestamp of an Active Directory user.
# .DESCRIPTION
# Each domain controller is queried separately to calculate the last logon from all results of all DCs.
# .PARAMETER
# UserLogonName
# Provide the user logon name (samaccountname) of the user.
# .EXAMPLE
# Get-ADUserLastLogon -UserLogonName s.stollane
# .NOTES
# Author: Patrick Gruenauer
# Web:
# https://sid-500.com
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)]
$UserLogonName
)
$resultlogon=@()
Import-Module ActiveDirectory
$ds=dsquery user -samid $UserLogonName
If ($ds) {
$getdc=(Get-ADDomainController -Filter *).Name
foreach ($dc in $getdc) {
Try {
$user=Get-ADUser $UserLogonName -Server $dc -Properties lastlogon -ErrorAction Stop
$resultlogon+=New-Object -TypeName PSObject -Property ([ordered]@{
'User' = $user.Name
'DC' = $dc
'LastLogon' = [datetime]::FromFileTime($user.'lastLogon')
})
}
Catch {
''
Write-Warning "No reports from $($dc)!"
}
}
$resultlogon | Where-Object {$_.lastlogon -NotLike '*1601*'} | Sort-Object LastLogon -Descending | Select-Object -First 1 | Format-Table -AutoSize
If (($resultlogon | Where-Object {$_.lastlogon -NotLike '*1601*'}) -EQ $null)
{
''
Write-Warning "No reports for user $($user.name). Possible reason: No first login."
}
}
else
{throw 'User not found. Check entered username.'}
}
How to use it
Copy the code above into PowerShell ISE (ise.exe) or an editor of your choosing and run the code. Then type the command and have fun with it.
If you want to make the function permanently available, so that the function is available every time you start PowerShell, you have to create a folder in C:\Program Files\WindowsPowerShell\Modules. Name the folder Get-ADUserLastLogon. Then save the code as .psm1 file in that folder. The screenshot below will help you.
Categories: PowerShell, Windows Server
My name is Patrick Gruenauer. From Austria.
SID-500.COM 
Is there a reason why you first use ‘dsquery’ and then ‘Get-ADUser’ ? Wouldn’t it be better to use Get-ADUser all the way?
LikeLike
No reason. Thank you. Will definitely take a look at.
LikeLike
How about all users in the domain?
We have multiple DCs not many users but still need to know all as this is part of cleaning up.
LikeLike
Hi! Nice code! Is there a way to apply in a specifically user OU?
LikeLike
Unfortunately, no. This one is only for one user.
LikeLike
Hi Patrick ,
Thanks for the code, can you please advise if this is run against one user or all users in the AD ?
Also can I export this to a CSV to verify the data ?
LikeLike
Hi,
Only one user. CSV Export should be fine.
LikeLike
hello, thanks for share.
There is something on my mind;
“Which computer was the user logged on to last?”
can this be added to the code?
LikeLike
Hi, difficult cause you have to query all computers event log.
LikeLike