Solved

Need to modify PS script to output creation Date, office, etc....

Posted on 2015-01-05
11
219 Views
Last Modified: 2015-01-22
I have the following script that will dump all my users showing the last login date. But I need to get it to dump the creation time, office and last logon DC.

import-module activedirectory

$NumDays = 0
$LogDir = "e:\scripts\lastlogon\Users-Last-Logon.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]''
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'}

$users | Export-CSV -NoType $LogDir

Any idea how to add that to this script?

Thanks
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 40

Expert Comment

by:footech
ID: 40532133
The office and creation date are pretty simple.
$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'},`
@{e={$_.properties.whencreated};n='Created'},`
@{e={$_.properties.physicaldeliveryofficename};n='Office'}

Open in new window


However, for the last logon DC you would have to query every DC for the lastLogon attribute and then determine the latest date from all of those, and then choose the corresponding DC that had that date.
0
 

Author Comment

by:rdefino
ID: 40532154
Is there a way to script that for the last login DC?

Also how can I have this file get emailed out to a particular address?

thanks
0
 
LVL 40

Expert Comment

by:footech
ID: 40533843
I notice the first line of your script is
Import-Module ActiveDirectory
If you actually can use the AD cmdlets, the code is much simpler

You can see an example with this script from the MS Technet Gallery.
https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771

To send an email you can use something like the following.
Send-MailMessage -to "you@company.com" -from "script@company.com" -subject "test" -body "the file is attached" -attachments $LogDir -smtpserver "mail.company.com"

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:rdefino
ID: 40533919
Thanks for the tips.

i did notice that the email I received contained a csv file that was empty but the correct populated file was in the log folder.

Any idea what I missed?
0
 
LVL 40

Expert Comment

by:footech
ID: 40533995
There's not much to the command.
If you received an empty file, then the file must have been empty when the command was run.  There's no other possibility that I can think of.
Try the command with some other files.  Just specify the full path to a file for the -attachments parameter.
0
 

Author Comment

by:rdefino
ID: 40534288
Does this look correct. I believe I did the attachment section correct but it still sends a empty file. I do noticed the populated file in the folder before the empty one is sent.

import-module activedirectory
Remove-Item e:\scripts\lastlogon\Users-Last-Logon.csv
$NumDays = 0
$LogDir = "e:\scripts\lastlogon\Users-Last-Logon.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]''
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'},`
@{e={$_.properties.whencreated};n='Created'},`
@{e={$_.properties.physicaldeliveryofficename};n='Office'}

$users | Export-CSV -NoType $LogDir

Send-MailMessage -to "myemail@ssss.com" -from "myemail@sss.com" -smtpserver "sjmail.cadence.com" -subject "User_Last_login" -body "the file is attached" -attachments "e:\scripts\lastlogon\Users-Last-Logon.csv"
0
 
LVL 40

Expert Comment

by:footech
ID: 40534518
I don't see any problem.
Just try running that last command with different files to see what happens.
0
 

Author Comment

by:rdefino
ID: 40536456
Hi Footech,

I noticed that this script is not pulling the latest last logon date, it seems it's pulling from one particular dc instead of checking all and pulling the latest date. Like you mentioned.

Is it possible to get the script to do that?

Otherwise the script won';t work for me since the date's will be incorrect.

thanks
0
 
LVL 40

Expert Comment

by:footech
ID: 40536680
Your script queries the lastlogontimestamp attribute, which is the same on every DC.  I'd suggest the following as good reading.
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
It will help you understand the difference between the lastlogontimestamp and lastlogon atttributes.
0
 

Author Comment

by:rdefino
ID: 40536890
So this is what confuses me. Last logon for a user I know logged into his system today shows from 1-15-2014 and lasttimestamp is from 12-29-14.

I know the lasttimestamp is usually about 12 days old, but what about last logon. I checked these in ADSIedit.

So is there anyway to get an up to date list of user and the last time they logged in? Or am I stuck with the the lasttimestamp a they around 12 days old?

thanks for the article, it definitely was a good read.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40538767
Similar to my statement about finding the last logon DC, you would have to query every DC for the lastLogon attribute and then determine the latest date from all of those.  For a single account it's not too difficult, but when you querying for multiple users it is much more so.

If you're worried about finding unused accounts, then you don't need the most up-to-date or accurate of info.  I would just query the lastlogontimestamp and be done with it.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question