none
PowerShell Active Directory: Get last logon date of a deleted user RRS feed

  • Question

  • So, my first post in this noble community. I've been lurking here and I've been getting some good information. Hopefully, you guys can help me in this concern which may be simple to some but I couldn't seem to get around it.

    Is it possible to get the last logon date of a DELETED user in Active Directory?

    I can get the available properties of deleted users using the following:

    Get-ADObject -Filter {samaccountname -eq <account_name> -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties *

    But the last logon date is not one of the properties available from Get-ADObject. Get-ADUser has the last logon property, but it does not have data on deleted users. Is there anyway this can be achieved? Perhaps convert an ADObject to an ADUser?

    Any information would be much appreciated. Thank you.

    Monday, June 30, 2014 8:46 PM

Answers

  • I spent some time redoing my test.  It appears that I may have pulled the wrong objects.

    The deleted objects do not expose the missing information.  A great deal of info is hidden and much is not saved.

    If you need this information it is likely that you will have to grab it and save it before you delete the objects.

    Perhaps posting in the DirectoryServices forum will help find a work-around.


    ¯\_(ツ)_/¯

    Tuesday, July 1, 2014 9:30 PM

All replies

  • It is called "LastLogon" and it is saved as a LargeInteger and has to be converted.

    ¯\_(ツ)_/¯

    Monday, June 30, 2014 9:17 PM
  • Thank you for your response.

    Unfortunately, Get-ADObject does not return anything in the LastLogon property. This works well with Get-ADUser, but Get-ADObject does not return anything for all the deleted users I queried.

    Get-ADObject -Filter {samaccountname -eq <account_name> -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties LastLogon --> returns nothing in the 'LastLogon' property.

    Does it imply this field is always null when querying a deleted user? Or is there any other way?

    Monday, June 30, 2014 10:45 PM
  • $dn=(Get-ADObject -Filter {samaccountname -eq <account_name>} ).DistinguishedName

    $user=[adsi]"LDAP://$dn"

    $user.LastLogon

    SamAccountName is unique.  No need for objectclass.


    ¯\_(ツ)_/¯



    • Edited by jrv Monday, June 30, 2014 10:58 PM
    Monday, June 30, 2014 10:55 PM
  • It appears that you are correct in that there is not a LastLogon property when you use Get-ADObject. You can see what is available by returning all the properties and selecting all the properties.

    Get-ADObject -Filter {samaccountname -eq <account_name> -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * | Select-Object *

    I noticed that in my results, that the filter did not honor the ObjectClass property. If you find the same thing, then you may need to pipe to the Where-Object cmdlet to filter on objectClass.

    Get-ADObject -Filter {samaccountname -eq <account_name>} -IncludeDeletedObjects -Properties * | Where-Object {$_.objectClass -eq 'user'} | Select-Object *

    Like you asked about, yes, you can pipe this to a user cmdlet, specifically the Get-ADUser cmdlet. Play around with this until you get what you're after.

    Get-ADObject -Filter * | Where-Object {$_.ObjectClass -eq 'user'} | select -First 10 | Get-ADUser -Properties * | select Name,Last*

    Monday, June 30, 2014 11:01 PM
  • The LastLogon property is per DC, and not replicated.  Each DC updates that value in it's own database when the user logs on using that DC.  If the user has never logged on from a particular DC, that value will be null.

    Normally to find the last logon for a user you have to find the LastLogon for that user from every DC, and use the newest one.  


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Monday, June 30, 2014 11:02 PM
    Moderator
  • Everybody is missing the main issue.

    Deleted user objects do not retain extended AD attrigutes like LAstlogontimestamp ofr lastlogondate.

    The lastlogon is all that I available on a deleted user object.  It is an Integer8 time.  It is likely meaningless if the object archived is returned from the wrong DC.

    The only way to retrieve this is with [adsi].  Get-AdUser cannot return deleted objects.

    Everyone - if you search by SamAccountName then objectclass is unnecessary.  SamAccountName is unique across all objects in a domain.  Only account objects have this attribute. Forget about playing with objectclass.

    1. Get the deleted object
    2. Get the distingiishedname
    3. use DN with [adsi] to return the raw object.

    Get-AdObject cannot return these attributes nor can Get-AdUser


    ¯\_(ツ)_/¯

    Monday, June 30, 2014 11:25 PM
  • Thanks everyone for your response. It looks like jrv is leading me to the right path, but I'm still having issues. I'm trying to get the lastlogon time by querying all the DCs in our domain, but every query returns a null lastlogon time for all the deleted users I tried:

    $DomainControllers = ((Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }).Name
    foreach ($DC in $DomainControllers)
    {
        $dn=(Get-ADObject -Filter {samaccountname -eq <user_account>} -includedeletedobjects -server $DC).DistinguishedName
        $user=[adsi]"LDAP://$dn"
        $user.LastLogon
    }

    It always returns null. Morever, simply executing [adsi]"LDAP://$dn" from each DC gives the following error:

    format-default : The following exception occurred while retrieving member
    "distinguishedName": "There is no such object on the server.
    "
        + CategoryInfo          : NotSpecified: (:) [format-default], ExtendedType
       SystemException
        + FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Comm
       ands.FormatDefaultCommand

    It's a bit surprising to me though, since $user=[adsi]"LDAP://$dn" does return a value for $user (instead of null whenever an error is encountered) of type System.DirectoryServices.DirectoryEntry but it has no members.

    Anyone know what I'm missing?

    Tuesday, July 1, 2014 2:50 PM
  • It is entirely iikely that the user does not exist.

    if($dn=(Get-ADObject -Filter {samaccountname -eq <user_account>} -includedeletedobjects -server $DC).DistinguishedName){
         $user=[adsi]"LDAP://$dn"
         $user.LastLogon
    }else{
        Write-Host 'User not found' -fore red
    }
    

    Just return the object and inspect the properties

    Get-ADObject -Filter {samaccountname -eq <user_account>} -includedeletedobjects |gm


    ¯\_(ツ)_/¯

    Tuesday, July 1, 2014 2:55 PM
  • Thanks again for the help.

    Unfortunately, the user does exist (albeit deleted). I've been using these users as test subjects and I can get the distinguished names. It's the following line that fails:

    [adsi]"LDAP://$dn"

    with the format-default error stated above even though I have the valid DN from Get-ADObject.

    Sample DN I get:

    CN=<user_first_last_name>\0ADEL:a96a0ad9-074d-4a4e-aa50-804f04d0dc6a,CN=Deleted Objects,DC=<DOM_2>,DC=<DOM_1>,DC=com

    Maybe an LDAP query just can't return from deleted objects?

    By the way, the Get-ADObject does return an object of type Microsoft.ActiveDirectory.Management.ADObject

    Tuesday, July 1, 2014 8:05 PM
  • I have no problems with it.  Something else is wrong and we cannot probably help.

    ¯\_(ツ)_/¯

    Tuesday, July 1, 2014 8:21 PM
  • Just a thought - can a deleted user be undeleted? If so, might it help to do that and then examine the undeleted user object?


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Tuesday, July 1, 2014 8:38 PM
  • there is no reason why the DN will not return the object except if the user has incomplete access to the object/container.

    To undelete: http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx


    ¯\_(ツ)_/¯

    Tuesday, July 1, 2014 8:52 PM
  • I can restore/undelete the user but this does not restore most if not all of the extended properties. This would most likely not include the last logon time. But either way, I need this solution moving forward for future accounts that would be deleted for auditing purposes, and not to query historical information on some users.

    I'm pretty sure I'm using a superadmin AD account with Domain Admin, Enterprise Admin, and Schema Admin rights so I should have all the rights I need.

    Maybe it is an issue isolated in our environment. I'll look deeper into this but hopefully someone can point out the missing piece.

    Thanks all for your help.

    Tuesday, July 1, 2014 9:02 PM
  • I spent some time redoing my test.  It appears that I may have pulled the wrong objects.

    The deleted objects do not expose the missing information.  A great deal of info is hidden and much is not saved.

    If you need this information it is likely that you will have to grab it and save it before you delete the objects.

    Perhaps posting in the DirectoryServices forum will help find a work-around.


    ¯\_(ツ)_/¯

    Tuesday, July 1, 2014 9:30 PM