locked
List users - name, SAMAccountname, Created,LastLogonTimeStamp and Enabled - Speed and elegant solution? RRS feed

  • General discussion

  • An auditor ask for a AD listing with the following information:

    name, SAMAccountname, Created,LastLogonTimeStamp and Enabled

    I´ve created two options

    Get-ADUser -Filter {ObjectClass -eq 'user'} -Properties SAMAccountname,Name,Enabled,LastLogonTimeStamp,Created | Select-Object SAMAccountname,Name,Enabled,@{Name="LastLogonTimeStamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd')}},created | export-csv outputfile.csv -notypeinformation

    Get-ADUser -Filter {ObjectClass -eq 'user'} -Properties SAMAccountname,Name,Enabled,LastLogonTimeStamp,Created | Select-Object SAMAccountname,Name,Enabled,@{Name="LastLogonTimeStamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd')}},created

    These are the most "elegant" and/or more efficient commands?

    There are more simpler ways to grab the information?

    This suggested approach have a problem? some performance or inneficient problem?

    • Changed type Bill_Stewart Thursday, September 25, 2014 5:30 PM Discussion
    Monday, August 25, 2014 5:55 PM

All replies

  • To start with the first disclaimer.   "LastLogonTImeStamd" is pretty useless as it is not up to date.

    You don't specify user with Get-AdUser.  It only gets users.

    This is as close as you will get:

    Get-ADUser  -filter * -Properties LastLogonTimeStamp,Created |
       Select-Object SAMAccountname,
                     Name,
                     Enabled,
                     @{N='LastLogon';E={[datetime]::FromFileTime($_.LastLogonTimeStamp)}},
                     Created |
       export-csv outputfile.csv -notypeinformation
    Look in the repository for better more detailed audit scripts.


    ¯\_(ツ)_/¯


    • Edited by jrv Monday, August 25, 2014 7:23 PM
    Monday, August 25, 2014 7:22 PM
  • "LastLogonTImeStamd" is pretty useless as it is not up to date.

    Correction. The lastlogonTimestamp attribute (not lastLogonTimeStamd) is far from useless if used correctly. One simply has to be aware of its purpose and limitations.


    -- Bill Stewart [Bill_Stewart]

    • Edited by Bill_Stewart Monday, August 25, 2014 7:54 PM Typo
    Monday, August 25, 2014 7:53 PM
  • Bill - try telling that to the auditors in some companies.  They only accept security log records.

    Ok - not useless just now what it is named.


    ¯\_(ツ)_/¯

    Monday, August 25, 2014 8:21 PM
  • My domain is a Win2008R2/WIn2012R2 domain, therefore, the AD schema have the information to "centralize" the lastlogon timestamp

    I know, that some type os logins does not update the atribute, but in my environment, it´s ok (login, TS Web Gateway and VPN+RADIUS auth)

    I know that some informations take longer to replicate and sometimes is better to trust the information of the lastlogontimestamp atribute, only after all replication cycle has finished (worst case, several hours or days)

    Wich limitation are you talking about?

    Monday, August 25, 2014 8:39 PM
  • 14 (fourteen) days give or take.

    ¯\_(ツ)_/¯

    Monday, August 25, 2014 9:11 PM
  • I agree it is not tremendously useful for a security audit (and I never suggested it would be).

    The purpose of the attribute is to determine whether accounts are stale. For this purpose it is more than adequate.


    -- Bill Stewart [Bill_Stewart]

    Monday, August 25, 2014 9:17 PM