From 20837efa25cf2842487c70b6ba90daf28674523b Mon Sep 17 00:00:00 2001 From: jessikitty Date: Fri, 30 Jan 2026 10:36:55 +1100 Subject: [PATCH] Update README with Get-UserLastLogonComputer documentation --- README.md | 79 +++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 54 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index b12913c..3862eba 100644 --- a/README.md +++ b/README.md @@ -1,43 +1,72 @@ # AD-ComputerLastLogon -PowerShell script to check when a computer last authenticated to the Active Directory domain. +PowerShell scripts for Active Directory logon auditing. + +## Scripts + +| Script | Description | +|--------|-------------| +| `Get-ComputerLastLogon.ps1` | Check when a specific computer last authenticated to the domain | +| `Get-UserLastLogonComputer.ps1` | Export all users and the last PC they logged into (CSV) | ## Requirements - Windows PowerShell 5.1 or PowerShell 7+ - Active Directory PowerShell module (RSAT) -- Run on a Domain Controller or machine with AD connectivity +- Run on a Domain Controller +- Administrator permissions (for Security log access) -## Usage +--- -### Interactive Mode -```powershell -.\Get-ComputerLastLogon.ps1 -# You will be prompted to enter a computer name -``` +## Get-ComputerLastLogon.ps1 -### With Parameter +Queries AD for a computer's last authentication time. + +### Usage ```powershell .\Get-ComputerLastLogon.ps1 -ComputerName "WORKSTATION01" + +# Or interactive: +.\Get-ComputerLastLogon.ps1 ``` -## Output - -The script displays: - +### Output Fields | Field | Description | |-------|-------------| -| **Last Logon (Replicated)** | `LastLogonTimestamp` - replicated across DCs, updated ~every 14 days | -| **Last Logon (This DC)** | `LastLogon` - specific to the DC you're querying, not replicated | -| **Days Since Last Logon** | Calculated from the replicated timestamp | -| **Account Enabled** | Whether the computer account is enabled | -| **Operating System** | OS name and version | -| **Created** | When the computer account was created | -| **Description** | AD description field | -| **DN** | Distinguished Name (full AD path) | +| Last Logon (Replicated) | `LastLogonTimestamp` - replicated across DCs (~14 day update interval) | +| Last Logon (This DC) | `LastLogon` - DC-specific, not replicated | +| Days Since Last Logon | Calculated from replicated timestamp | -## Notes +--- -- **LastLogonTimestamp** is the more reliable field for determining if a computer is active, as it's replicated between all DCs -- **LastLogon** only reflects activity on the specific DC you're querying -- The replicated timestamp is only updated approximately every 14 days to reduce replication traffic +## Get-UserLastLogonComputer.ps1 + +Queries DC security event logs to find which PC each user last logged into, exports to CSV. + +### Usage +```powershell +# Default: last 7 days, saves to current directory +.\Get-UserLastLogonComputer.ps1 + +# Custom: last 30 days, specific output path +.\Get-UserLastLogonComputer.ps1 -OutputPath "C:\Reports" -DaysBack 30 +``` + +### Parameters +| Parameter | Default | Description | +|-----------|---------|-------------| +| `-OutputPath` | Current directory | Where to save the CSV | +| `-DaysBack` | 7 | Days of event logs to search | +| `-LogonTypes` | 2, 10, 11 | Logon types to include | + +### Logon Types +- **2** - Interactive (console login) +- **10** - RemoteInteractive (RDP) +- **11** - CachedInteractive (cached credentials) + +### CSV Output +``` +Domain,Username,Computer,LogonTime,LogonType +DOMAIN,jsmith,PC-OFFICE01,2026-01-19 10:30:00,Interactive +DOMAIN,auser,PC-RECEPTION,2026-01-18 14:22:15,RDP +```