We help IT Professionals succeed at work.

LDAP Query for Pulling lastLogonTimestamp and dateCreated attributes from AD User Account

itsmevic asked
I have the below simple LDAP query that basically goes out and looks for user account UPN's that begins with the letters "gp." Out of the "gp" accounts that it finds it only pulls active accounts and omits the disabled ones.  What I"d like to do is add to the below LDAP query the syntax that will pull the lastLogonTimestamp and the dateCreated attributes as well.  Is this possible?  Just not having much luck doing this in ADFIND or DSQUERY.

Watch Question

Top Expert 2013

The query it self won't pull any fields, you can however look for accounts created on a certain day for instance

Scott has good examples here using adfind   http://blog.scottlowe.org/2006/10/11/finding-recently-created-active-directory-accounts/

the other question I'm helping with will help with pulling the attributes.




Hi Mike,

    Yeah I just simply need to query and pull ACTIVE user accounts that begin with the letters "gp." These are the attributes that I'm needing the query to pull.

1.)  sAMACCcountName
2.)  displayName
3.)  UPN
4.)  DN Path
5.)  Creation Date
6.)  Last logon Timestamp

    That's basically it.  It seems as if it's been a bit of journey just trying to properly pull the above criteria out of ADFind or DSQuery or LDAP.  So I just need the proper syntax to add to the below query pulling the attributes in that list above.

I think you will be able to do what your looking for using the quest active directory powershell cmdlets.

Im actually pretty impressed that I was able to get this. Im just learning powershell so hopefully someone didnt beat me to this.

DL the cmdlets here
get-qaduser -ldapfilter "(&(objectClass=user)(objectCategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=gp*))"  -includeallproperties| format-list samaccountname,displayname,userprincipalname,dn,createtimestamp

Open in new window

Code should actually include one more property. Use this one instead.

get-qaduser -ldapfilter "(&(objectClass=user)(objectCategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=gp*))"  -includeallproperties| format-list samaccountname,displayname,userprincipalname,dn,createtimestamp,lastlogontimestamp

Open in new window

Top Expert 2013
adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!userAccountControl:AND:=2)(userPrincipalName=bp*)"  samaccountname userprincipalname displayname lastlogontimestamp whencreated -csv -tdca > c:\UsersExport.csv

not sure if quest cmdlets will decode like joe does but the Quest tools are great too.


Mkline: the quest tool does decode the data pretty nicely.

It always seems like I run into you in the AD/LDAP postings. Whenever I see one Im like gotta get it before Mkline does lol cause I know your usually on them pretty quick.
Top Expert 2013

Yeah it is usually one of us or Chris Dent or Pre (forget the rest of his name).

by the way a funny note about the Quest cmdlets...I met the creator of them (Dmitri) at the MVP Summit and told him he should get the MVP for life for creating them just like Joe Richards should get for creating adfind and all his tool.

yes I'm a dork :)
Chris DentPowerShell Developer
Top Expert 2010


Hey guys :)

This is for xxdcmast really, and not intended as a criticism, only with the hope it helps on the PS learning journey :)

With Get-QADUser, objectClass and objectCategory filters are automatically added, any filter you define is combined with a default filter set.

Filtering for enabled / disabled is possible with the -Enabled or -Disabled parameters. And UserPrincipalName can be defined with the parameter rather than a filter. Which takes us to:

Get-QADUser -Enabled -UserPrincipalName "gp*" -IncludedProperties lastLogonTimeStamp |
  Select-Object SamAccountName, DisplayName, UserPrincipalName, DN, CreateTimeStamp, LastLogonTimeStamp

All the best,

Believe it or not your post actually just helped me out a TON. I never knew about the select-object command before now. Im a big fan of the dsquery | dsget type commands and now you just basically gave me a much more powerful version in powershell. When I was making that script I kept saying "why dont they just have something like dsget in powershell" and now I know they do.

DS tools will probably still be my goto for AD stuff but this is awesome when I need to retrieve stuff DSget wont let me.



Thanks guys, great input as always!