jessikitty/AD-ComputerLastLogon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README with Get-UserLastLogonComputer documentation

Browse Source
This commit is contained in:
jessikitty
2026-01-30 10:36:55 +11:00
parent 8aef95655e
commit 20837efa25
1 changed files with 54 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
README.md
View File

@@ -1,43 +1,72 @@
# AD-ComputerLastLogon # AD-ComputerLastLogon
PowerShell script to check when a computer last authenticated to the Active Directory domain. PowerShell scripts for Active Directory logon auditing.
## Scripts
| Script | Description |
|--------|-------------|
| `Get-ComputerLastLogon.ps1` | Check when a specific computer last authenticated to the domain |
| `Get-UserLastLogonComputer.ps1` | Export all users and the last PC they logged into (CSV) |
## Requirements ## Requirements
- Windows PowerShell 5.1 or PowerShell 7+ - Windows PowerShell 5.1 or PowerShell 7+
- Active Directory PowerShell module (RSAT) - Active Directory PowerShell module (RSAT)
- Run on a Domain Controller or machine with AD connectivity - Run on a Domain Controller
- Administrator permissions (for Security log access)
## Usage ---
### Interactive Mode ## Get-ComputerLastLogon.ps1
```powershell
.\Get-ComputerLastLogon.ps1
# You will be prompted to enter a computer name
```
### With Parameter Queries AD for a computer's last authentication time.
### Usage
```powershell ```powershell
.\Get-ComputerLastLogon.ps1 -ComputerName "WORKSTATION01" .\Get-ComputerLastLogon.ps1 -ComputerName "WORKSTATION01"
# Or interactive:
.\Get-ComputerLastLogon.ps1
``` ```
## Output ### Output Fields
The script displays:
| Field | Description | | Field | Description |
|-------|-------------| |-------|-------------|
| **Last Logon (Replicated)** | `LastLogonTimestamp` - replicated across DCs, updated ~every 14 days | | Last Logon (Replicated) | `LastLogonTimestamp` - replicated across DCs (~14 day update interval) |
| **Last Logon (This DC)** | `LastLogon` - specific to the DC you're querying, not replicated | | Last Logon (This DC) | `LastLogon` - DC-specific, not replicated |
| **Days Since Last Logon** | Calculated from the replicated timestamp | | Days Since Last Logon | Calculated from replicated timestamp |
| **Account Enabled** | Whether the computer account is enabled |
| **Operating System** | OS name and version |
| **Created** | When the computer account was created |
| **Description** | AD description field |
| **DN** | Distinguished Name (full AD path) |
## Notes ---
- **LastLogonTimestamp** is the more reliable field for determining if a computer is active, as it's replicated between all DCs ## Get-UserLastLogonComputer.ps1
- **LastLogon** only reflects activity on the specific DC you're querying
- The replicated timestamp is only updated approximately every 14 days to reduce replication traffic Queries DC security event logs to find which PC each user last logged into, exports to CSV.
### Usage
```powershell
# Default: last 7 days, saves to current directory
.\Get-UserLastLogonComputer.ps1
# Custom: last 30 days, specific output path
.\Get-UserLastLogonComputer.ps1 -OutputPath "C:\Reports" -DaysBack 30
```
### Parameters
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-OutputPath` | Current directory | Where to save the CSV |
| `-DaysBack` | 7 | Days of event logs to search |
| `-LogonTypes` | 2, 10, 11 | Logon types to include |
### Logon Types
- **2** - Interactive (console login)
- **10** - RemoteInteractive (RDP)
- **11** - CachedInteractive (cached credentials)
### CSV Output
```
Domain,Username,Computer,LogonTime,LogonType
DOMAIN,jsmith,PC-OFFICE01,2026-01-19 10:30:00,Interactive
DOMAIN,auser,PC-RECEPTION,2026-01-18 14:22:15,RDP
```