Figuring out the last time a user logged into an AD domain

When tasked with figuring out the last time a user logged on into an Active Directory domain, some people might be awfully tempted to just look at lastLogonTimestamp attribute of a user’s AD account and then call it a day. This approach has a multitude of gotchas:

  • lastLogonTimestamp does get synced across DCs, but only if the entry is more than 14 days old
  • It can get updated even when the user has NOT logged on (Kerberos S4U)
  • It can fail to get updated even when the user HAS logged in (seen with some VPN solutions)
  • Probably something else I haven’t yet run into

So the appropriate solution that is less prone to error is to look at the lastLogon value for the account and you have to look it up on all DCs active in the domain. Since individually querying each and every one can and does get tedious, here’s a Powershell one-liner:

[datetime]::FromFileTime((Get-ADDomainController -Filter * | foreach {Get-ADUser USERNAME -Properties LastLogon -Server $_.Name | select LastLogon} | Measure-Object -Property LastLogon -Maximum).Maximum)