This PowerShell script retrieves the values of lastLogon and logonCount for every user account on each domain controller (DC) in the domain. The script outputs the latest lastLogon value and the total logonCount over all DCs for each user.

The lastLogon and logonCount attributes are not replicated between domain controllers. Each DC has a different value for each user, reflecting the last time the user authenticated and the number of times the user authenicated on the DC. This PowerShell script retrieves these values for all users on every DC, then for each user outputs the latest lastLogon and the cumulative total logonCount.

The logonCount attribute is a 32-bit integer. The lastLogon attribute is LargeInteger, a 64-bit integer representing a datetime as the number of 100-nanosecond intervals (ticks) since 12:00 am January 1, 1601. The value is in Coordinated Universal Time (or UTC after the French acronym), which used to be called GMT. The script converts the lastLogon 64-bit integer into a friendly datetime value in the time zone of the local client.

The script is coded in PowerShell version 1. Error trapping allows the script to flag any errors on any DC without halting the script. The output is comma delimited and can be redirected to a text file with csv extension. Error messages are not redirected, but appear at the command prompt.

Example output:

DN (NTName),Last Logon,Total Logon Count
"CN=Jim Smith,OU=West,DC=Domain,DC=com (jsmith)",11/29/2018 17:47:37,56
"CN=Sally Wilson,OU=West,DC=Domain,DC=com (swilson)",12/12/2018 06:31:09,125
"CN=Jane Johnson,OU=East,DC=Domain,DC=com (jjohnson)",12/05/2018 11:05:13,43
"CN=Roger Franks,OU=East,DC=Domain,DC=com (rfranks)",08/28/2018 09:43:51,21

The format for Last Logon depends on the current culture.

AllLastLogonAndCount.txt <<-- Click here to view or download the program