Randomly Expressed

About

Welcome to my blog “randomly expressed”. I created this website to publish helpful tips. It’s mainly technology driven, but I will blog about other topics. I am a Unix sysadmin that is always looking to learn new things. My goal is to be able to share knowledge that others may find useful. xkcd.com

Continue Reading »

Contact

Connect With US

Connect with us on the following social networking sites.

Most Popular Posts.

Add Some Content to This Area

You should either deactivate this panel on the Theme Settings page, or add some content via the Widgets page in your WordPress dashboard.

AD query for accounts with no logons

By on February 4, 2017 in Technology with No Comments

Auditing your AD accounts regularly is important in order to address security issues. Also it will save you money on licenses for accounts that are not needed. Querying for the last login time is a good start, since it will show accounts that have not been used in a long time. However it will not give you any information on accounts that have never logged on since being created. The following power shell script will query for accounts with no logons.

$createdtime = (Get-Date).Adddays(-(120))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} | 
Select Name,DistinguishedName |
Export-CSV "C:\\NeverLoggedOnUsers.csv" -NoTypeInformation -Encoding UTF8

The output of the query looks like this:

"Name","DistinguishedName"
"John Doe","CN=John Doe,OU=Employee,OU=Accounts,DC=corp,DC=company,DC=com"
"Mary Jane","CN=Mary Jane,OU=Employee,OU=Accounts,DC=corp,DC=company,DC=com"

The following power shell script will query for both accounts with no logons and last login times. I found this one from virtuallyjason.blogspot.com. It does a great job of formatting the results.


#Gets a list of Active Directory accounts that haven't been logged into for a specified number of days.  This queries each of the specified Domain Controllers, as each one only stores the last time that it authenticated a given account.
#Authors: Jason Coleman (virtuallyjason.blogspot.com), Bob Westendorf
#Usage: Get-UnusedAccounts -Days  -DCName  -SearchBase  -Filter 
#Example: Get-UnusedAccounts -Days 90 -DCName SacDC* -SearchBase "ou=MyUsers,dc=Company,dc=Local" -Filter *
Param
(
        $Days = 90,
        $DCName = "*",
        $SearchBase = "dc=corp,dc=company,dc=com",
        $Filter = "*"
)

$OutUsers = @()
ForEach ($ADUser in (Get-ADUser -Filter $Filter -SearchScope subtree -SearchBase $SearchBase -Properties SamAccountName,Description,WhenCreated | ? {$_.Enabled -eq $True})) 
{
    #Creates a dummy user object with properties to be filled later
    $ObjUser = "" | Select SamAccountName,Description,WhenCreated,LastLogon,LastLogonInt
        
    #Sets the baseline logon date as the day that the account was created, to protect new accounts that have never logged in
    $UserLastLogon = $ADUser.WhenCreated.TofileTime()

    #Check each DC for when it last authenticated the user, storing the latest logon in $UserLastLogon
    ForEach ($ThisDC in (Get-ADDomainController -Filter {Name -like $DCName} | Select -ExpandProperty Name))
    {
        $User = Get-ADUser -Identity $ADUser -Server $ThisDC -Properties LastLogon
        If ($User.LastLogon -gt $UserLastLogon)
        {
            $UserLastLogon = $User.LastLogon
        }
    }    

    #Format the date as a string for output
    If ($UserLastLogon -eq $ADUser.WhenCreated.TofileTime())
    {
        $UserLastLogonOutput = "Never"

The output of the report looks like this:

SamAccountName Description WhenCreated LastLogon
-------------- ----------- ----------- ---------
Admin Built-in account for admin... 7/28/2015 2:20:30 PM 2/3/2016 6:15 PM
mary.jane Service account for the Sy... 8/13/2016 10:48:12 AM Never

Facebook Comments

Tagged With: ,

Post a Comment

Your email address will not be published. Required fields are marked *

Top