I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.
Essentially, you update the description of the Computer object(s) in AD so that they list;
The last user who logged on.
What time they logged on.
What AD ‘Site’ the machine is in.
Model of the PC/Laptop.
Serial Number of the machine.
Operating System.
32 or 64 bit.
I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.
Now I can think of loads of situations when that information would be very helpful?
Solution : Last User
So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.
You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.
Change the ‘Applies to’ section to ‘Descendant Computer Objects’.
Scroll down and tick, ‘Write Description’
Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.
Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!
Now create a new Group Policy Object, linked to your USERS.
Edit the policy, and navigate to;
[box]User Configuration > Windows Settings > Scripts > Logon[/box]
Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like; C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.batIT WON’T WORK.)
Close the Group policy editor, then either wait, or force a group policy update.
Active directory keeps a log of the last time a domain user has authenticated to the domain (from server 2000 onwards) , the drawback with 2000 is that this value didn’t replicate so you had to query each domain controller and cobble the results together.
After 2003 this value was replicated (after convergence,) to all domain controllers.
Solution
Update Here’s a much better way of showing who logged on last, on a computer-by-computer basis.
There are various scripts that will do this for you, but the best way of finding your users last logon time is to run ADTidy.
Run this on a domain controller and it will list your domain users, the last time they logged on, (and what DC authenticated them).
Note: If you have mobile devices (e.g. phones picking up Exchange mail) these events will be logged as well, so don’t panic if you see authentication events at odd times.
In addition this software will also let you disable/delete inactive accounts, and export the details to CSV file.
Related Articles, References, Credits, or External Links
File > Save As > Save the file as Users-Last-Logon.ps1 > Change the file type to ‘All Files’ >Save it in C:WindowsSystem32.
2. Open PowerShell, and execute the following commands;
[box]
cd c:WindowsSystem32
./Users-Last-Logon.ps1
[/box]
3. Navigate to c:WindowsSystem32 and locate the Users-Last-Logon.csv file.
4. Open the file in Excel, and you can sort the ‘Last Logon’ column, to get the users in the correct order.
Update 24/05/13
Email form reader ‘Simon’
I read your article “PowerShell – List All Domain Users and Their Last Logon Time” and it helped me out a lot. Thank your very much for this.
May i suggest to add a filter option on the script, in order to get more results. Currently the script limits the result to 1000. In my Environment there are more users than that.
I added $objstalesearcher.PageSize=4000 to the script, and i got all the users from my bomain.
Again, thank you very much for the script you provided. saved me tons of time !
Related Articles, References, Credits, or External Links