[updated with optimization from comment from JR]
Cleaning up Active Directory is a necessary evil. You need to stay under your CAL count and it can be difficult to figure out which computers (or users) have not logged in to the domain recently.
Windows Server 2003 introduced the lastLogonTimestamp attribute which replicates between all DCs in the domain. Now, this isn’t real-time data. In fact it can be up to 14 days behind the current date, depending on your domain settings. If you want that, you’re going to have to get yourself a good syslog server, but for general cleanup and auditing purposes it works great. You can read more about this attribute on Microsoft’s TechNet Blog.
I’ve written a couple very simple PowerShell scripts that will 1) search the entire domain for all computers with a lastLogonTimestamp before a certain date 2) return a computer’s lastLogonTimestamp value in a human readable local format. It’s not so easy to just go out and get the time stamp, because the format that AD stores it UTC (GMT) format, so it needs some converting to human readable, which my scripts do.
get_lastLogonTimestamp_from_host.ps1
# Gets host and lastLogonTimestamp in UTC of specified host # get Name $hostname = Read-host "Enter a hostname" # grab the lastLogonTimestamp attribute Get-ADComputer $hostname -Properties lastlogontimestamp | # output hostname and timestamp in human readable format Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}
———————————————————–
get_stale_hosts_lastLogonTimestamp.ps1
# Gets time stamps for all computers in the domain that have NOT logged in since after specified date $time = Read-host "Enter a date in format mm/dd/yyyy" $time = get-date ($time) $date = get-date ($time) -UFormat %d.%m.%y # Get all AD computers with lastLogonTimestamp less than our time Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp | # Output hostname and lastLogonTimestamp into CSV select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv .all_old_computers_timestamps_older_than-$time.csv -notypeinformation
These are two scripts that I use pretty often when I’m trying to determine if I should disable/delete computer accounts in AD. Hope it helps someone else.