# AD-ComputerLastLogon

PowerShell scripts for Active Directory logon auditing.

## Scripts

| Script | Description |
|--------|-------------|
| `Get-ComputerLastLogon.ps1` | Check when a specific computer last authenticated to the domain |
| `Get-UserLastLogonComputer.ps1` | Export all users and the last PC they logged into (CSV) |

## Requirements

- Windows PowerShell 5.1 or PowerShell 7+
- Active Directory PowerShell module (RSAT)
- Run on a Domain Controller
- Administrator permissions (for Security log access)

---

## Get-ComputerLastLogon.ps1

Queries AD for a computer's last authentication time.

### Usage
```powershell
.\Get-ComputerLastLogon.ps1 -ComputerName "WORKSTATION01"

# Or interactive:
.\Get-ComputerLastLogon.ps1
```

### Output Fields
| Field | Description |
|-------|-------------|
| Last Logon (Replicated) | `LastLogonTimestamp` - replicated across DCs (~14 day update interval) |
| Last Logon (This DC) | `LastLogon` - DC-specific, not replicated |
| Days Since Last Logon | Calculated from replicated timestamp |

---

## Get-UserLastLogonComputer.ps1

Queries DC security event logs to find which PC each user last logged into, exports to CSV.

### Usage
```powershell
# Default: last 7 days, saves to current directory
.\Get-UserLastLogonComputer.ps1

# Custom: last 30 days, specific output path
.\Get-UserLastLogonComputer.ps1 -OutputPath "C:\Reports" -DaysBack 30
```

### Parameters
| Parameter | Default | Description |
|-----------|---------|-------------|
| `-OutputPath` | Current directory | Where to save the CSV |
| `-DaysBack` | 7 | Days of event logs to search |
| `-LogonTypes` | 2, 10, 11 | Logon types to include |

### Logon Types
- **2** - Interactive (console login)
- **10** - RemoteInteractive (RDP)
- **11** - CachedInteractive (cached credentials)

### CSV Output
```
Domain,Username,Computer,LogonTime,LogonType
DOMAIN,jsmith,PC-OFFICE01,2026-01-19 10:30:00,Interactive
DOMAIN,auser,PC-RECEPTION,2026-01-18 14:22:15,RDP
```