Auditing your AD accounts regularly is important in order to address security issues. Also it will save you money on licenses for accounts that are not needed. Querying for the last login time is a good start, since it will show accounts that have not been used in a long time. However it will not give you any information on accounts that have never logged on since being created. The following power shell script will query for accounts with no logons.
$createdtime = (Get-Date).Adddays(-(120))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} |
Select Name,DistinguishedName |
Export-CSV "C:\\NeverLoggedOnUsers.csv" -NoTypeInformation -Encoding UTF8
The output of the query looks like this:
"Name","DistinguishedName"
"John Doe","CN=John Doe,OU=Employee,OU=Accounts,DC=corp,DC=company,DC=com"
"Mary Jane","CN=Mary Jane,OU=Employee,OU=Accounts,DC=corp,DC=company,DC=com"
The following power shell script will query for both accounts with no logons and last login times. I found this one from virtuallyjason.blogspot.com. It does a great job of formatting the results.
#Gets a list of Active Directory accounts that haven't been logged into for a specified number of days. This queries each of the specified Domain Controllers, as each one only stores the last time that it authenticated a given account.
#Authors: Jason Coleman (virtuallyjason.blogspot.com), Bob Westendorf
#Usage: Get-UnusedAccounts -Days -DCName -SearchBase -Filter
#Example: Get-UnusedAccounts -Days 90 -DCName SacDC* -SearchBase "ou=MyUsers,dc=Company,dc=Local" -Filter *
Param
(
$Days = 90,
$DCName = "*",
$SearchBase = "dc=corp,dc=company,dc=com",
$Filter = "*"
)
$OutUsers = @()
ForEach ($ADUser in (Get-ADUser -Filter $Filter -SearchScope subtree -SearchBase $SearchBase -Properties SamAccountName,Description,WhenCreated | ? {$_.Enabled -eq $True}))
{
#Creates a dummy user object with properties to be filled later
$ObjUser = "" | Select SamAccountName,Description,WhenCreated,LastLogon,LastLogonInt
#Sets the baseline logon date as the day that the account was created, to protect new accounts that have never logged in
$UserLastLogon = $ADUser.WhenCreated.TofileTime()
#Check each DC for when it last authenticated the user, storing the latest logon in $UserLastLogon
ForEach ($ThisDC in (Get-ADDomainController -Filter {Name -like $DCName} | Select -ExpandProperty Name))
{
$User = Get-ADUser -Identity $ADUser -Server $ThisDC -Properties LastLogon
If ($User.LastLogon -gt $UserLastLogon)
{
$UserLastLogon = $User.LastLogon
}
}
#Format the date as a string for output
If ($UserLastLogon -eq $ADUser.WhenCreated.TofileTime())
{
$UserLastLogonOutput = "Never"
The output of the report looks like this:
SamAccountName Description WhenCreated LastLogon
-------------- ----------- ----------- ---------
Admin Built-in account for admin... 7/28/2015 2:20:30 PM 2/3/2016 6:15 PM
mary.jane Service account for the Sy... 8/13/2016 10:48:12 AM Never
Tagged With: power shell, Windows AD
Facebook Comments