If you like me sometimes get asked to clean up some stale AD accounts, then on of the easiest ways to do this is by finding out when people last logged and authenticated against a Domain Controller. Usually I take a stance of if the last logon date is more than a year ago, then the account can be safely disabled.
Rather than trying to re-invent the wheel, there is an awesome script which gets a list of all users within AD along with the last logon time stamp and exports it to CSV. You can find the script on the TechNet gallery page which is such a useful place to find any script like this, and is the first place I look for PowerShell scripts now: https://gallery.technet.microsoft.com/How-to-get-all-Active-832ca0c5
Here is the process:
- Download the file, and run it from a PC that has domain admin access
- Open PowerShell as admin
- CD to the folder where the script is
- Run: Import-Module .\GetAllADUsersLastLogonTime
- Now run: GetAllADUsersLastLogonTime -OutCsvFilePath “C:\Tools\Scripts\user-output.csv
Voila! You should now have a CSV export of all your users along with the relevant last logon timestamp.
P.S. Make sure that you document which accounts you are disabling just in case 😉