last time an AD user has logged in?
I've noticed that we have in Active Directory more users than the company has actual employees.
Is there a simple way to check multiple Active Directory accounts and see if there are any accounts that have not been used for a while? This should help me determine whether some accounts should be disabled or deleted.
Solution 1:
O'Reiley's Active Directory Cookbook gives an explanation in chapter 6:
6.28.1 Problem: You want to determine which users have not logged on recently.
6.28.2 Solution
6.28.2.1 Using a graphical user interface
- Open the Active Directory Users and Computers snap-in.
- In the left pane, right-click on the domain and select Find.
- Beside Find, select Common Queries.
- Select the number of days beside Days since last logon.
- Click the Find Now button.
6.28.2.2 Using a command-line interface
dsquery user -inactive < NumWeeks >
To get more information, see recipe 6.28
Solution 2:
This script originated from http://synjunkie.blogspot.com/2008/08/powershell-finding-unused-ad-accounts.html ; this URL no longer works as of Dec 7 2015. You can output this info to a CSV file, which you can view/filter in Excel.
get-qaduser * -sizelimit 0 | select -property name,accountexpires,pass*,accountisdisabled,lastlog*,canonicalname | export-csv -path d:\Passwords.csv
Solution 3:
It's worth noting that the last logon time stored on each domain controller isn't replicated between domain controllers, there are in fact two attributes that store the last logon time, one is replicated but only every 14 (I think). If an accurate time is important to you I would use a third part tool that queries each domain controller (we have 90!), we've used a tool called True Last Logon, I can recommend it.