AD-ComputerLastLogon
PowerShell scripts for Active Directory logon auditing.
Scripts
| Script | Description |
|---|---|
Get-ComputerLastLogon.ps1 |
Check when a specific computer last authenticated to the domain |
Get-UserLastLogonComputer.ps1 |
Export all users and the last PC they logged into (CSV) |
Requirements
- Windows PowerShell 5.1 or PowerShell 7+
- Active Directory PowerShell module (RSAT)
- Run on a Domain Controller
- Administrator permissions (for Security log access)
Get-ComputerLastLogon.ps1
Queries AD for a computer's last authentication time.
Usage
.\Get-ComputerLastLogon.ps1 -ComputerName "WORKSTATION01"
# Or interactive:
.\Get-ComputerLastLogon.ps1
Output Fields
| Field | Description |
|---|---|
| Last Logon (Replicated) | LastLogonTimestamp - replicated across DCs (~14 day update interval) |
| Last Logon (This DC) | LastLogon - DC-specific, not replicated |
| Days Since Last Logon | Calculated from replicated timestamp |
Get-UserLastLogonComputer.ps1
Queries DC security event logs to find which PC each user last logged into, exports to CSV.
Usage
# Default: last 7 days, saves to current directory
.\Get-UserLastLogonComputer.ps1
# Custom: last 30 days, specific output path
.\Get-UserLastLogonComputer.ps1 -OutputPath "C:\Reports" -DaysBack 30
Parameters
| Parameter | Default | Description |
|---|---|---|
-OutputPath |
Current directory | Where to save the CSV |
-DaysBack |
7 | Days of event logs to search |
-LogonTypes |
2, 10, 11 | Logon types to include |
Logon Types
- 2 - Interactive (console login)
- 10 - RemoteInteractive (RDP)
- 11 - CachedInteractive (cached credentials)
CSV Output
Domain,Username,Computer,LogonTime,LogonType
DOMAIN,jsmith,PC-OFFICE01,2026-01-19 10:30:00,Interactive
DOMAIN,auser,PC-RECEPTION,2026-01-18 14:22:15,RDP