I am developing a script to report on users who have not logged in to the domain for 6 months. I'm using lastLogonTimestamp
as within 14 days is precise enough for my purposes, and I don't want to have to query each DC.
The problem is, when I run the script, the lastLogonTimestamp
comes back blank for nearly 600 users. But, and here's the weird bit, I can then do Get-ADUser
(which is what is used within the script to retrieve this information) for one of these users at the same prompt and it gives me a value.
What could be causing this?
UPDATE: Just to provide some clarification. Yes the DFL is 2003. Also, to clarify. I'm only referring to the lastLogonTimestamp attribute, not any other attribute.
The script begins by creating an object containing every user:
$userlist = Get-ADUser -Filter * -properties lastLogonTimestamp
Aside from some other logic, I write out each user to a text file by using a foreach ($user in $userlist)
loop. Effectively
$name = $user.Name
$llts = $user.lastLogonTimestamp
When I review the text file, the lastLogonTimestamp is blank for nearly 600 users. Of some of these, I pick a test subject, for example someone who I know has logged on recently, let's say user-x. User-x will have lastLogonTimestamp blank in the text file. If, however, I then run
Get-ADUser user-x -properties lastLogonTimestamp
on the same command line after the script has completed for user-x, it returns a value for lastLogonTimestamp.
UPDATE 2: This makes no sense! I changed the script to pull the lastLogonTimestamp property in the loop rather than when I create the userlist object:
foreach ($user in $userlist)
{
$SamAccountName = $user.SamAccountName
$thisUser = Get-ADUser $SamAccountName -properties lastLogonTimeStamp
...
}
I thought this would more closely replicate what I'm using at the command line when it pulls the property successfully, but it still doesn't work. It's probably worth pointing out it's the same users every time.
The problem is with this statement in your Update 2
is that after you do this, the object type of $SamAccountName is System.String so you've lost the AD user context.
Try this:
For your previous code, the issue appears to be with other variable handling. A more substantial snippet will help us give a better answer
Are you looping through all your domain controllers to get the true last logon time? This property and value is not synchronized across DCs IIRC. This is the function we use in our environment to retrieve the correct value for a single user:
In your case, to avoid unnecessary duplication I'd place Get-ADDomainController outside the function, but pass the array of DCs to the function along with the username. You could even modify the $username param to accept an array....
I encountered this same issue and what I found helped was running it as an administrator. it doesn't make any sense, since the information should be available to any authenticated user, but there it is.