Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need to modify PS script to output creation Date, office, etc....

Posted on 2015-01-05
11
Medium Priority
?
232 Views
Last Modified: 2015-01-22
I have the following script that will dump all my users showing the last login date. But I need to get it to dump the creation time, office and last logon DC.

import-module activedirectory

$NumDays = 0
$LogDir = "e:\scripts\lastlogon\Users-Last-Logon.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]''
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'}

$users | Export-CSV -NoType $LogDir

Any idea how to add that to this script?

Thanks
0
Comment
Question by:rdefino
  • 6
  • 5
11 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40532133
The office and creation date are pretty simple.
$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'},`
@{e={$_.properties.whencreated};n='Created'},`
@{e={$_.properties.physicaldeliveryofficename};n='Office'}

Open in new window


However, for the last logon DC you would have to query every DC for the lastLogon attribute and then determine the latest date from all of those, and then choose the corresponding DC that had that date.
0
 

Author Comment

by:rdefino
ID: 40532154
Is there a way to script that for the last login DC?

Also how can I have this file get emailed out to a particular address?

thanks
0
 
LVL 41

Expert Comment

by:footech
ID: 40533843
I notice the first line of your script is
Import-Module ActiveDirectory
If you actually can use the AD cmdlets, the code is much simpler

You can see an example with this script from the MS Technet Gallery.
https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771

To send an email you can use something like the following.
Send-MailMessage -to "you@company.com" -from "script@company.com" -subject "test" -body "the file is attached" -attachments $LogDir -smtpserver "mail.company.com"

Open in new window

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:rdefino
ID: 40533919
Thanks for the tips.

i did notice that the email I received contained a csv file that was empty but the correct populated file was in the log folder.

Any idea what I missed?
0
 
LVL 41

Expert Comment

by:footech
ID: 40533995
There's not much to the command.
If you received an empty file, then the file must have been empty when the command was run.  There's no other possibility that I can think of.
Try the command with some other files.  Just specify the full path to a file for the -attachments parameter.
0
 

Author Comment

by:rdefino
ID: 40534288
Does this look correct. I believe I did the attachment section correct but it still sends a empty file. I do noticed the populated file in the folder before the empty one is sent.

import-module activedirectory
Remove-Item e:\scripts\lastlogon\Users-Last-Logon.csv
$NumDays = 0
$LogDir = "e:\scripts\lastlogon\Users-Last-Logon.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]''
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.samaccountname};n='Username'},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n='Last Logon'},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget('AccountDisabled')};n='Account Is Disabled'},`
@{e={$_.properties.whencreated};n='Created'},`
@{e={$_.properties.physicaldeliveryofficename};n='Office'}

$users | Export-CSV -NoType $LogDir

Send-MailMessage -to "myemail@ssss.com" -from "myemail@sss.com" -smtpserver "sjmail.cadence.com" -subject "User_Last_login" -body "the file is attached" -attachments "e:\scripts\lastlogon\Users-Last-Logon.csv"
0
 
LVL 41

Expert Comment

by:footech
ID: 40534518
I don't see any problem.
Just try running that last command with different files to see what happens.
0
 

Author Comment

by:rdefino
ID: 40536456
Hi Footech,

I noticed that this script is not pulling the latest last logon date, it seems it's pulling from one particular dc instead of checking all and pulling the latest date. Like you mentioned.

Is it possible to get the script to do that?

Otherwise the script won';t work for me since the date's will be incorrect.

thanks
0
 
LVL 41

Expert Comment

by:footech
ID: 40536680
Your script queries the lastlogontimestamp attribute, which is the same on every DC.  I'd suggest the following as good reading.
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
It will help you understand the difference between the lastlogontimestamp and lastlogon atttributes.
0
 

Author Comment

by:rdefino
ID: 40536890
So this is what confuses me. Last logon for a user I know logged into his system today shows from 1-15-2014 and lasttimestamp is from 12-29-14.

I know the lasttimestamp is usually about 12 days old, but what about last logon. I checked these in ADSIedit.

So is there anyway to get an up to date list of user and the last time they logged in? Or am I stuck with the the lasttimestamp a they around 12 days old?

thanks for the article, it definitely was a good read.
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 40538767
Similar to my statement about finding the last logon DC, you would have to query every DC for the lastLogon attribute and then determine the latest date from all of those.  For a single account it's not too difficult, but when you querying for multiple users it is much more so.

If you're worried about finding unused accounts, then you don't need the most up-to-date or accurate of info.  I would just query the lastlogontimestamp and be done with it.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Screencast - Getting to Know the Pipeline

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question