PowerShell

Waqkas Ahmed

Hi,

I am trying to create a script that will give me a list off all Computer's on Active Directory last logged in or booted up. Can anyone help with this please?

Thanks

Adam Gordon

Waqkas,

I hope all is well. You can try starting with the script below. It is able to be modified for O/S type, as shown :

Get-ADComputer -Properties * -Filter {
Enabled -eq $True -and
OperatingSystem -like 'Windows*' -and
OperatingSystem -notlike "Windows Server*" -and
OperatingSystem -notlike "Windows 7*"
} -SearchBase "DC=hhmtx,DC=org" | FT Name, OperatingSystem, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLasLogonDate.csv

NOTE THE FOLLOWING !!

Keep in mind that LastLogonDate is a converted version of LastLogonTimeStamp. LastLogonTimeStamp is not the most accurate representation of actual computer last logon time. By default, it could be off by 14 days. More info -

https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

If you want to get a more precise last logon time you should use the lastLogon attribute, but it is not replicated to all domain controllers so you have to iterate all your domain controllers to get the latest value. You would have to calculate the last logon time and then you would be able to limit it to "last 30/60/90 days".

Hope that helps you to get started.

Cheers,

Adam

Adam Gordon

Waqkas,

Another option would be as noted below. You would have to modify the path in the searchbase line for the OU designators to match the structure of your environment:

#Captures all computers in the selected OU

$computers = Get-ADComputer -Filter * -Properties lastlogondate -SearchBase "OU=Servers,DC=contoso,DC=local"

#initializes the final report
$Report = @()

foreach ($computer in $computers)
{

Will Query to see if explorer process is running if so will set $loggedonuser variable

Try
{
$Lastlogontime = $computer.lastlogondate
$explorerprocess = get-wmiobject win32_process -ComputerName $computer.Name -ErrorAction stop | where name -Match explorer
$LoggedOnUser = $explorerprocess.getowner().user
}
#If PC can't be contacted will set the output values
Catch
{
$report += New-object PSObject -property @{
"Computer Name" = $computer.Name
"Powered On" = $Lastlogontime
"Last Logged On User" = "Unknown"
"Status" = "Unknown"
"ErrorMessage" = "Unable to contact"
}
Continue
}
#Outputs the requested values
$Report += New-Object PSObject -property @{
"Computer Name" = $computer.Name
"Powered On" = $Lastlogontime
"Last Logged On User" = $loggedonuser
"Status" = "Connected"
"ErrorMessage" = "None"
}
}
$Report | Out-GridView

Guest

I prefer to use the PasswordLastSet property to find stale computers. A Windows machine will reset its computer account password every 30 days by default. The below script looks for systems that have not reset their password in over 365 days :

$date = [DateTime]::Today.AddDays(-365)
Get-ADComputer -Filter ‘PasswordLastSet -le $date’ -SearchBase “OU=MyCompOU,DC=example,DC=com” -properties * | select Name,PasswordLastSet,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | export-csv comps.csv

And if you wanted to remove stale computers:

Get-ADComputer -Filter ‘PasswordLastSet -le $date’ | foreach-object {
Remove-ADObject -Identity $_ -Recursive -confirm:$false
}

Mike Rodrick

Hey @Waqkas-Ahmed,

Here is a script that I found in the Technet Gallery. The original script worked, but prompted you for a computer name, therefor only did one at a time. I have modified it to return all computers and loop through them. In a large environment, this might be a little slow. You can modify the Get-ADComputer command with some of the filters from @Adam-Gordon's post to limit what type of computers are looked up, or limit the search to a particular OU.

I also added a progress bar and the ability to output to an HTML file, just because PowerShell is so much fun :)

This script takes one computer at a time, checks with each domain controller to see what the last logon time is for that computer, and records the latest one. This is necessary because the lastLogon attribute is not replicated, and you don't know which domain controller was used for authentication.

###############################################################  
# Get_Computer Last_Logon_v1.1.ps1  
# Version 1.0  
# Changelog : n/a  
# MALEK Ahmed - 29 / 06 / 2017
# Modified by mike@itpro.tv 6/13/18  
###################  
  
##################  
#--------Config  
##################  
  
$domain = "itprotvdemo.com"  

##################  
#--------Main  
##################  
  
Import-Module ActiveDirectory  
cls  

$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()  
$domaincontrollers = $myforest.Sites | % { $_.Servers } | Select Name  
$RealComputerLastLogon = $null  
$LastusedDC = $null  
$domainsuffix = "*."+$domain  
$computerNames = (Get-ADComputer -Filter *).name
$computerCollection = New-Object System.Collections.ArrayList
$i = 0
foreach ($computerName in $computernames)
{
    $i++
    foreach ($DomainController in $DomainControllers)   
    { 
        if ($DomainController.Name -like $domainsuffix)  
        {  
            $ComputerLastlogon = Get-ADComputer -Identity $computername -Properties LastLogon -Server $DomainController.Name  
                if ($RealComputerLastLogon -le [DateTime]::FromFileTime($ComputerLastlogon.LastLogon))  
                {  
                    $RealComputerLastLogon = [DateTime]::FromFileTime($ComputerLastlogon.LastLogon)  
                    $LastusedDC =  $DomainController.Name  
                }
        }  
            
    }
    $temp = New-Object System.Object
    $temp | Add-Member -MemberType NoteProperty -Name "Computer" -Value $computerName
    $temp | Add-Member -MemberType NoteProperty -Name "Date" -Value $RealComputerLastLogon
    $temp | Add-Member -MemberType NoteProperty -Name "DC" -Value $LastusedDC
    $computerCollection.Add($temp) | Out-Null
    $ComputerLastlogon = ""
    $RealComputerLastLogon = "" 
    $LastusedDC = "" 
    Write-Progress -Activity "Collecting Data" -status $computerName -percentComplete ($i / $computerNames.count*100)
}

$computerCollection | Sort-Object -Property date

#####
# Uncomment section below to output an HTML file, make sure to update FilePath
#####

<#
$Header = @"
<style>
TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;}
</style>
"@
$computerCollection | Sort-Object -Property date | ConvertTo-Html -Head $header | Out-File -FilePath <replaceWithYourPath>
#>