Article Series

Introduction

In the first posting of this series, we explored the basic process for generating AD metrics and saving them to a file. In the second posting, we explored generating somewhat more complex metrics. In this third posting in this series, we will extract and categorize AD account last logons using the simplest approach.

Obtaining user account last logons provides immediate business value to system administrators, management and customers, as they show infrastructure usage. Capturing and archiving these values supports trending analysis and more accurate budget planning.

The AD account attribute that will be used is LastLogonDate. This attribute is a conversion of the LastLogonTimeStamp long integer value into a friendly time format that is formatted according to your local time zone and settings. The LastLogonTimeStamp attribute is replicated (by default) between 9 to 14 days among the domain controllers and thus LastLogonDate as well.

LastLogon Metrics

Here is the script to be added. Let's look at the first metric: users who have logged in within the past 365 days.

# This line gets the number of enabled user accounts that
# have logged in within the past 365 days.  This time, we
# filter the array using a time value, which is obtained
# by subtracting 365 from the variable holding the time
# value obtained at the start of this script.
$365Days = $DateTime.AddDays(-365)
[array]$LastLogon365EnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $365Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 365 days: " + $LastLogon365EnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString "" test 
 
It follows the same general approach used previously.  Repeat this approach for the other date categories, including: 180, 90, 45, and 30 days.
$180Days = $DateTime.AddDays(-180)
[array]$LastLogon180DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $180Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 180 days: " + $LastLogon180DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
 
$90Days = $DateTime.AddDays(-90)
[array]$LastLogon90DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $90Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 90 days: " + $LastLogon90DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
 
$45Days = $DateTime.AddDays(-45)
[array]$LastLogon45DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $45Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 45 days: " + $LastLogon45DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
 
$30Days = $DateTime.AddDays(-30)
[array]$LastLogon30DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $30Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 30 days: " + $LastLogon30DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
 
$15Days = $DateTime.AddDays(-15)
[array]$LastLogon15DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $15Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 15 days: " + $LastLogon15DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""

Summary

This posting, the third in this series, has presented script for extracting additional Active Directory user account metrics. It uses the LastLogonDate attribute. The default replication frequency determines the default window of accuracy of LastLogonDate . The default replication frequency works out to be approximately 9-14 days. This accuracy is good enough for time windows of 30, 60, 90 days, and so on, but is insufficiently accurate when seeking time windows of 1, 2, or 7 days. In a later posting, we'll explore how to improve this accuracy and thus obtain more immediate usage metrics.

References

Notes

  • tbd