One of the most dreaded things on a Windows SysAdmin’s ‘to do’ list is maintaining Active Directory and all if it’s inter working parts. Objects, groups, permissions, security groups, rights, who can do what…
What is even more problematic is if the previous Sysadmin ( or current, lets be serious ) did not maintain their AD environment – there is a lot of housekeeping that needs to be done.
One such task is cleaning up ‘dead’ accounts or Active Directory Objects that are no longer being utilized or viable on the network. This is not only a good network hygiene task to complete but this is also a way to harden your Active Directory, improve network security and reduce the possibility of an un-moderated account being secretly compromised.
Just remember, if you can get to the data – there is a chance that the adversary can get the data too. Be sure to have access restrictions in place within your Active Directory instance.
Of course, the larger the organization the more time intensive this is going to be but also, exponentially the more beneficial to the overall stability and safety of the network.
Approach 1: Use Active Directory Users and Computers GUI
Step 1: Open Active Directory Users and Computers
Step 2: Ensure ‘Advanced Features’ is enabled
Step 3: Open user account in question
Step 4: Select ‘Attribute Editor’
Step 5: Scroll down about a quarter of the way to view “LastLogon” and “LastLogon Timestamp”
TIP: If there are multiple domain controllers in the environment, be sure to check for this value on each of them to ensure that you have the most accurate data.
Method 2: Using PowerShell to Display Last Logon Time
If you are looking at querying a number of accounts or if you would rather use command line over the GUI, this same task can be completed with a short PowerShell string.
Mind you, if you are not running this from a Domain Controller, you may need to use the Active Directory PowerShell module.
Step 1: Log Into Domain Controller
Step 2: Open PowerShell as Administrator
Step 3: Run below string
Get-ADUser -Identity “username” -Properties “LastLogonDate”
Substitute “username” for the user you wish to pull the report on.
Output will include last logon time.
TIP: The lastlogon attribute is the most accurate way to check an active directory users last logon time. There is also the LastLogonTimeStamp attribute but this entry will be a week or two behind the current date. The intended purpose of the LastLogonTimeStamp is to help identify stale user and computer accounts. Again be sure to check all DC’s for the most current time stamp.