In an organization, PowerShell active directory contains an account for every user. Over the period of time, employee leave the organization, these account sometime may remain in active directory.
Such unused or stale account uses space in active directory database and poses a security threat as well. As an active directory admin, these inactive account or stale account need to removed.
PowerShell Active directory provides two attributes
lastlogontimestamp that store user last logon time.
In this blog post, we will see difference between active directory
- lastlogon : When the user log on to the system,
lastlogonattribute is updated on domain controller that provides authentication only. Attribute not replicated and maintained separately on each domain controller in the domain.
This is very much helpful to find out latest ad user login. As lastlogon value is specific to domain controller,hence in order to get accurate value of user lastlogon value, value must be retrieved from every domain controller.
lastlogon value retrieved is True last logon time for ad user account.
- lastlogontimestamp :
lastlogontimestampis replicable attribute. This attribute value not updated every time when user log on.
This attribute updated when current value for
lastlogontimestamp is older than current time minus the value of
ms-DS-Logon-Time-Sync-Interval attribute. Default value this setting is ‘NOT SET’ but defaults to
lastlogondateis a converted version of
lastlogondateis a calculated value from replicated value. It gives you simple way to query using date formats and retrieve list of accounts.
Cool Tip: How to get OS system version of Domain Controllers in PowerShell!
I hope you may find difference between
Using PowerShell Active Directory attributes, it will help you to find out aduser accounts which are not in use from longer time, disable it and remove it.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.