Get last logon time,computer and username together with Powershell
Solution 1
This one might not be perfect but it will get you on the right track. To get the exact last user, please see this script. It will give you further information on how to filter the exact last user. In the below example, I have used, select-object -First 1 which should be a pretty good indicator of the last logged on user. To get the last logged on user, you need to use
Get-WmiObject -Class Win32_UserProfile
To 'join' the Get-ADComputer and Get-WMIObject information, I have used a Hash Table.
If you are running this from a Domain Administrator account, you can take the -credential $credential part out. Otherwise, leave it in and you can run it from a normal workstation with the RSAT tools installed so Get-ADComputer is available.
Code below:
$computers = Get-ADComputer -Filter { OperatingSystem -NotLike '*Server*' } -Properties OperatingSystem
$credential = Get-Credential -Message "Please enter your administrator username and password"
foreach($computer in $computers) {
$pcinfo = Get-ADComputer $computer.Name -Properties lastlogontimestamp | `
Select-Object @{Name="Computer";Expression={$_.Name}}, `
@{Name="Lastlogon";Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}
$lastuserlogoninfo = Get-WmiObject -Class Win32_UserProfile -ComputerName $computer.name -Credential $credential | Select-Object -First 1
$SecIdentifier = New-Object System.Security.Principal.SecurityIdentifier($lastuserlogoninfo.SID)
$username = $SecIdentifier.Translate([System.Security.Principal.NTAccount])
# Create hashtable for properties
$properties = @{'Computer'=$pcinfo.Computer;
'LastLogon'=$pcinfo.Lastlogon;
'User'=$username.value
} #end $properties
write-output (New-Object -Typename PSObject -Property $properties)
}
Check the formatting when you use it. Some of it I had to add in an escape (`) character to fit it into the script window.
Thanks, Tim.
Solution 2
Not to burst everyone's bubble, but the "LastUseTime" field under Win32_UserProfile is NOT last Login; it's simply the last timestamp the "Profile" was updated (for any reason). You will find ALL profiles updated periodically for various reasons--installers, policy updates, etc.
Also, the data is not ordered by default, so the "-First 1" argument is not useful unless the data is first sorted by "LastUseTime"--which again is worthless due to above.
I hate to say that the above scripts are not providing any useful data for "Last Logon".
Related videos on Youtube
Comments
-
Ruben.w over 1 year
I have a script which gets the last logon times of each computer in the domain.
My script:
$dcs = Get-ADComputer -Filter { OperatingSystem -NotLike '*Server*' } -Properties OperatingSystem foreach($dc in $dcs) { Get-ADComputer $dc.Name -Properties lastlogontimestamp | Select-Object @{n="Computer";e={$_.Name}}, @{Name="Lastlogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} }
==================================
Result:
Computer Lastlogon
-------- ---------
DC1 6/06/2013 16:38:24
DC2 6/06/2013 16:30:40=============================================
I also want to get who/which account made this logon. For example:
Computer Lastlogon User
-------- ------------------ ----
DC1 6/06/2013 16:38:24 user2
DC2 6/06/2013 16:30:40 user1 -
G-Man Says 'Reinstate Monica' over 6 yearsPlease check your code. Are there supposed to be back-ticks in it? Hint: use Code Sample formatting rather than Block Quote.
-
Frank over 6 yearsUpdated to code block
-
Timo over 4 yearsDoes not work, the
Expression
beforedatetime
is marked read in VS Code. -
Tim Haintz over 4 yearsThanks for pointing this out @Timo. Have updated with = . Should work now. Updating via mobile though so haven’t yet tested. Thanks, Tim.
-
Timo over 4 yearsMaybe one curly brace is too much:
lastLogonTimestamp)}}
. One curly brace would be enough? -
Timo over 4 yearsAnd: I am admin, so left the credential part out, but :
$username = $SecIdentifier.Translate([System.Security.Principal.N …
.Ausnahme beim Aufrufen von "Translate" mit 1 Argument(en): "Manche oder alle Identit�tsverweise konnten nicht �bersetzt werden."
. Sorry for the german, there seems a Problem withtranslate
. -
Tim Haintz over 4 yearsHi again @Timo I needed to add another curly brace just after the =. From docs.microsoft.com/en-us/powershell/module/… - Example 10 - uses calculated properties. Sorry for any hassle this has caused. Thanks, Tim.
-
Timo over 4 yearsNow I get
no constructor found
here:$SecIdentifier = New-Object System.Security.Principal.SecurityIdentifier($lastuserlogoninfo.SID)
.lastuserlogoninfo
is empty. And: Get-WmiObject : RPC-Server not available. In Baramundi (Software Management Tool, I see the last logged on user. So there must be a server. Thanks Tim