Powershell query to get users logged in in last 30 days

I'm trying to write an extremely simple query that will pull all users whose last logon date is within the last thirty days. What I'm stuck on is that if I use a filter of {lastlogontimestamp -gt "Date of 30 days ago"} I get results. But as soon as I make the filter -lt or -le I get zero results. I know there are more complicated methods to write this query but I specifically would like to use the simplest possible. I know that lastlogontimestamp is intentionally inaccurate, that's not a problem for me.

Part 2 of the question is what value can I use for my output that will return an actual date? For instance, if I use lastlogontimestamp as an output the field is just blank.

Here's what I'm trying to use: Get-ADUser -Filter {lastlogontimestamp -le 08202013} | ft N
Who is Participating?
footechConnect With a Mentor Commented:
As long as you know the limits of LastLogonTimeStamp...
Better to use LastLogonDate with the MS AD cmdlets, since it gives you datetime formatted object.  When testing I did get some slightly different results when using it as a filter for the AD command vs. for a Where-Object if using a -lt comparison, because the Where-Object filter will include results where it is not set.  However, if you want something within the last 30 days, you would be using a -gt operator
get-aduser -filter {lastlogondate -gt "8/1/2013"} -Properties lastlogondate | select Name,LastLogonDate | sort name

Open in new window

Try this

get-qaduser -NotLoggedOnFor 30 -SizeLimit 0 | Sort-Object Name | out-file c:\ADUsersLogon30days.csv
Be sure to load the quest module first.

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Steven HarrisPresidentCommented:
The purpose of the lastLogontimeStamp attribute is to locate inactive accounts, not provide real-time logon information.
Will SzymkowskiSenior Solution ArchitectCommented:
Use the following powershell script to get your details...

Copy and Paste entire code into a txt file and save the file extension as .ps1

# Import the Active Directory Module
Import-module activedirectory
# Create a variable for get-date (current date)
$date = get-date
# Create a variable called $User to get all users in Active Directory with all Properties
$User = Get-ADUser -Filter 'objectclass -eq "User"' -Properties *
# Display all Users within Active Directory that have been created in the last 30 days
$User | Where-Object {$_.whenCreated -gt $date.adddays(-30)} |
# Sort the out-put data by LastLogonDate
Sort-Object -Property LastLogonDate |
# Display the information with the below headings
Select whenCreated,LastLogonDate,Enabled |
# Export the results to CSV file
Out-file c:\UsersLast30Days.csv

Open in new window

b1narymanAuthor Commented:
Footech, that is exactly what I was looking for, that's returning the results I expect.
 Not sure why but when I used the -gt modifier for the lastlogontimestamp it was giving me dates older than my target date, not newer, so that's why I was working on getting lt or le to work.

I had originally thought to use lastlogondate instead of lastlogontimestamp. I can't remember now why I switched but obviously my first instinct was better and I should have stuck with it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.