Active Directory administrators are usually using lastlogontimestamp attribute to identify inactive users. This can be enough to identify such users but the value of this attribute will be 9-14 days behind the current day. That is why this attribute cannot be used to identify the last logon date and time for active users.

To identify the exact Last Logon date and time of an Active Directory user, you will need to connect to each DC in the user domain and extract the value of lastlogon attribute of the user account. Once done, you will need to compare these values and keep only the highest one as it represents the last logon date and time.

This process can be heavy to do especially if you are in a huge Active Directory environment. To make it easier, this Powershell script was developed to extract automatically the lastlogon attribute values from the user domain Domain Controllers and identify the highest one. So, it will allow you to know the exact last logon date and time for a user account and the last Domain Controller used for authentication.

You just need to replace contoso.msft by the user domain name and then, after running the script, you will be asked to provide the samaccountname of the user account.

 

PowerShell
Edit|Remove
############################################################### 
# Get_User Last_Logon_v1.1.ps1 
# Version 1.1 
# Changelog : n/a 
# MALEK Ahmed - 17 / 03 / 2013 
################### 
 
################## 
#--------Config 
################## 
 
$domain = "contoso.msft" 
 
################## 
#--------Main 
################## 
 
import-module activedirectory 
cls 
"The domain is " + $domain 
$samaccountname = Read-Host 'What is the User samaccountname?' 
"Processing the checks ..." 
$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 
$domaincontrollers = $myforest.Sites | % { $_.Servers } | Select Name 
$RealUserLastLogon = $null 
$LastusedDC = $null 
$domainsuffix = "*."+$domain 
foreach ($DomainController in $DomainControllers)  
{ 
    if ($DomainController.Name -like $domainsuffix ) 
    { 
        $UserLastlogon = Get-ADUser -Identity $samaccountname -Properties LastLogon -Server $DomainController.Name 
        if ($RealUserLastLogon -le [DateTime]::FromFileTime($UserLastlogon.LastLogon)) 
        { 
            $RealUserLastLogon = [DateTime]::FromFileTime($UserLastlogon.LastLogon) 
            $LastusedDC =  $DomainController.Name 
        } 
    } 
} 
"The last logon occured the " + $RealUserLastLogon + "" 
"It was done against " + $LastusedDC + "" 
$mesage = "............." 
$exit = Read-Host $mesage