This PowerShell script outputs the values of lastLogon and logonCount for a specified user account on each domain controller (DC) in the domain.

The lastLogon and logonCount attributes are not replicated between domain controllers. Each DC has a different value for each user, reflecting the last time the user authenticated and the number of times the user authenicated on the DC. This PowerShell script outputs these values for a specified user on every DC.

The logonCount attribute is a 32-bit integer. The lastLogon attribute is LargeInteger, a 64-bit integer representing a datetime as the number of 100-nanosecond intervals (ticks) since 12:00 am January 1, 1601. The value is in Coordinated Universal Time (or UTC after the French acronym), which used to be called GMT. The script converts the lastLogon 64-bit integer into a friendly datetime value in the time zone of the local client.

The script is coded in PowerShell version 1. Error trapping allows the script to flag any errors on any DC without halting the script. The output is comma delimited and can be redirected to a text file with csv extension. Error messages are not redirected, but appear at the command prompt.

Example output:

Domain Controller,Last Logon,Total Logon Count
DC02.Domain.com,12/12/2018 17:47:37,6
DC01.Domain.com,12/05/2018 07:12:42,13
DC03.Domain.com,11/26/2018 11:09:31,5
DC04.Domain.com,12/14/2018 15:26:12,89

The format for Last Logon depends on the current culture.

UserLastLogonAndCount.txt <<-- Click here to view or download the program