LindyS
asked on
Help with a powershell script to retrieve lastlogon from all DCs
I have a script that currently queries all of our DCs, for the lastlogon of a user. I have to query all DCs because this field isn't replicated between DCs.
LastLogonTimestamp is replicated, but it doesn't meet our needs, because is usually different from any of the last logons, sometimes by a week.
The commands I use are;
get-QADUser 'username' -Service dc01 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc02 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc03 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc04 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc05 | Select-Object Name,lastlogon
Is there any better way to query the DCs for the same information? also, It would be great if it only returned the most recent from all.
Thanks
LastLogonTimestamp is replicated, but it doesn't meet our needs, because is usually different from any of the last logons, sometimes by a week.
The commands I use are;
get-QADUser 'username' -Service dc01 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc02 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc03 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc04 | Select-Object Name,lastlogon
get-QADUser 'username' -Service dc05 | Select-Object Name,lastlogon
Is there any better way to query the DCs for the same information? also, It would be great if it only returned the most recent from all.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry for a typo. The first line should be: $lastlogon=(get-date).AddY ears(-100)
ASKER
It almost works, but I get the following error for all 5 DCs.
Get-QADUser : Server not exist or could not be contacted: Domain\DC01$
At C:\users\scripts\test.ps1: 17 char:21
+ $tempd=(get-QADUser <<<< 'username' -Service $dc | Select-Object Name,lastlogon)
+ CategoryInfo : NotSpecified: (:) [Get-QADUser], ServerNotOperationalExcept ion
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPower ShellSnapI n.Director yAccess.Se rverNotOpe rationalEx ception,Qu est.Active Roles.ArsP owerShellS napIn.Powe rshell.Cmd lets.GetUs erCmdlet
Get-QADUser : Server not exist or could not be contacted: Domain\DC01$
At C:\users\scripts\test.ps1:
+ $tempd=(get-QADUser <<<< 'username' -Service $dc | Select-Object Name,lastlogon)
+ CategoryInfo : NotSpecified: (:) [Get-QADUser], ServerNotOperationalExcept
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPower
ASKER
Working with what gtworek provided, I have come up with;
$dcs = Get-Content "C:\temp\serverlist.txt"
foreach($dc in $dcs){ get-QADUser 'username' -Service $dc | Select-Object Name,lastlogon}
It was taking way too long to query all of the computers looking for domain controllers. By putting them in a text file it sped the query qlot.
Any ideas on how to return only the most recent lastlogon?
$dcs = Get-Content "C:\temp\serverlist.txt"
foreach($dc in $dcs){ get-QADUser 'username' -Service $dc | Select-Object Name,lastlogon}
It was taking way too long to query all of the computers looking for domain controllers. By putting them in a text file it sped the query qlot.
Any ideas on how to return only the most recent lastlogon?
You'd be better of getting the "LastLogonTimestamp" and just using the info from one DC provided you didn't need them any more recent than 9-14 days. Here's why:
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
I would verify that they are old/stale users, but for the most part that should fix it.
Here's some code I found from a Quest scripting guy:
# calculate a deadline date. (now minus 60 days)
$deadline = (Get-Date).AddDays(-60).To FileTimeUt c()
#construct a ldap query
$ldapQuery = '(|(!(lastLogonTimeStamp=* ))(lastLog onTimeStam p<=' + $deadline + '))'
#run this query
Get-QADUser -Enabled -SizeLimit 0 -LdapFilter $ldapQuery
#Script from:http://powergui.org/thread.jspa?threadID=8218
HTH,
Dale Harris
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
I would verify that they are old/stale users, but for the most part that should fix it.
Here's some code I found from a Quest scripting guy:
# calculate a deadline date. (now minus 60 days)
$deadline = (Get-Date).AddDays(-60).To
#construct a ldap query
$ldapQuery = '(|(!(lastLogonTimeStamp=*
#run this query
Get-QADUser -Enabled -SizeLimit 0 -LdapFilter $ldapQuery
#Script from:http://powergui.org/thread.jspa?threadID=8218
HTH,
Dale Harris
ASKER
I've requested that this question be deleted for the following reason:
It turns out that the reason I wanted this script is not going to work for me.
It turns out that the reason I wanted this script is not going to work for me.
Does it crash with error? Or provides wrong results? Or gives you useless information?
Please give us more information why it is not what you expected.
Please give us more information why it is not what you expected.
ASKER
No, It works, but I was trying to get to where I could disable bulk users after I ran this to get the inactive ones.
It turns out that I cannot modify users with a script in our organization, so I've been wasting my time trying to get to a solution.
Thanks for the help anyway.
It turns out that I cannot modify users with a script in our organization, so I've been wasting my time trying to get to a solution.
Thanks for the help anyway.
ASKER
Thanks for the help.