0

I want to get most accurate last logon time for Computer Objects via powershell.

why is returning lastlogon attribute like below ? is it normal ?

Name              : SRV01
samAccountName    : SRV01$
DistinguishedName : CN=SRV01,DC=contoso,DC=local
lastLogon         : 133000120204176004
OperatingSystem   : Windows Server 2016 Standard
LastLogonDate     : 6/18/2022 10:47:00 AM

Script :

$AllDCs = Get-ADDomainController -Filter * # Get all DCs in the Domain   
$logons = [System.Collections.Generic.Dictionary[string,object]]::new()

$params = @{
    LDAPFilter = '(LastLogon=*)' # Only find computers that have this Property
    SearchBase = 'DC=contoso,DC=local'
    Properties = @(
        'Name'
        'samAccountName'
        'DistinguishedName'
        'lastLogon'
        'OperatingSystem'
    )
}

foreach($DC in $AllDCs)
{
    $params.Server = $DC
    # Find all computers using this target DC
    $computerList = Get-ADComputer @params |
    Select-Object @(
        $params.Properties
        @{
            Name = 'LastLogonDate'
            Expression = { [datetime]::FromFileTime($_.LastLogon) }
        }
    )
    
    foreach($computer in $computerList)
    {
        if($logons[$computer.samAccountName].lastLogonDate -lt $computer.lastLogonDate)
        {


            $logons[$computer.samAccountName] = $computer
        }
    }
}

$logons.Values
Improve this question
2
  • 3
    Yes, it's completely normal for the lastLogon attribute value to be returned as a number because it's stored in Windows FileTime format: [learn.microsoft.com/en-us/windows/win32/sysinfo/file-times], which represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 UTC. In your script above, you've already converted it to a human readable date by using the [datetime]::FromFileTime function Commented Jun 18, 2022 at 11:04
  • You can change the dictionary for a simple hashtable. Not sure what I was thinking Commented Jun 18, 2022 at 13:43

1 Answer 1

Reset to default
1

As NiMux explained in his helpful comment and as stated in the Active Directory Schema (AD Schema) MS Docs for this attribute:

The last time the user logged on. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.

Below code shows you how you can exclude this property from the output and only keep it's friendly / human readable representation - [datetime]::FromFileTime($_.LastLogon) - as well as some performance improvements.

Dictionary<TKey,TValue> can be replaced with a hashtable, in this case, it is not a performance improvement but also using the generic class will likely not provide a performance gain.

Constructing new objects of all queried computers per Domain Controller is inefficient and should be removed, we're only interested in reconstructing the objects once (once we have the results from the query - bottom part of the code).

$AllDCs = Get-ADDomainController -Filter *
$logons = @{}

$params = @{
    LDAPFilter = '(LastLogon=*)'
    SearchBase = 'DC=contoso,DC=local'
    Properties = 'lastLogon', 'OperatingSystem'
}

foreach($DC in $AllDCs) {
    $params['Server'] = $DC
    # Find all computers using this target DC
    foreach($computer in Get-ADComputer @params) {
        # if the reference `lastLogon` in the hashtable is lower than this `lastLogon`
        if($logons[$computer.samAccountName].lastLogon -lt $computer.lastLogon) {
            # replace the value for this key with this object
            $logons[$computer.samAccountName] = $computer
        }
    }
}

# construct the output
& {
    foreach($key in $logons.PSBase.Keys) {
        $value = $logons[$key]

        [pscustomobject]@{
            Name              = $value.Name
            samAccountName    = $value.samAccountName
            DistinguishedName = $value.DistinguishedName
            LastLogonDate     = [datetime]::FromFileTime($value.LastLogon)
            OperatingSystem   = $value.OperatingSystem
        }
    }
} | Export-Csv path/to/output.csv -NoTypeInformation
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi , I have a question. have you had a chance take a look my issue ? stackoverflow.com/questions/75906202/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.