Find AD Users who never logged on using Powershell

We can use the Active Directory powershell cmdlet Get-ADUser to query users from AD. We can find and get a list of AD users who never logged in at least one time by checking the AD attribute value lastlogontimestamp.
 

The below command lists all users who never logged on.

Get-ADUser -Filter {(lastlogontimestamp -notlike "*")} | Select Name,DistinguishedName

If you want to list only enabled ad users, you can add one more check in the above filter.

Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true)} | Select Name,DistinguishedName

If you are familiar with LDAP filter you can also find never logged in users by using ldap filter.

Get-ADUser -ldapfilter '(&(!lastlogontimestamp=*)(!useraccountcontrol:1.2.840.113556.1.4.803:=2))' |
 Select Name,DistinguishedName

In most cases, we may want to find AD users who created in last certain days or months and not logged in their system. To achieve this, we need to filter users by created time.

The below powershell command lists all AD users who are created in 30 days before and still not logged in.

$days = 30
$createdtime = (Get-Date).Adddays(-($days))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} | 
Select Name,DistinguishedName

Export Never Logged On AD Users to CSV file

We can export users into CSV file using Export-CSV cmdlet. The following command export all the never logged in users who are created in 30 days before into CSV file.

$createdtime = (Get-Date).Adddays(-(30))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} | 
Select Name,DistinguishedName |
Export-CSV "C:\NeverLoggedOnUsers.csv" -NoTypeInformation -Encoding UTF8

Advertisement

1 thought on “Find AD Users who never logged on using Powershell”

  1. Find users logged into servers based on static server list, specific OU or in entire domain. Thanks to the unknown person who supplied the base code that I started with. I love getting my daily report 🙂 Enjoy!:

    # Import the Active Directory module for the Get-ADComputer CmdLet
    Import-Module ActiveDirectory

    # Get today's date for the report
    $today = Get-Date

    # Setup email parameters
    $subject = "ACTIVE MEMBER SERVER SESSIONS REPORT – " + $today
    $priority = "Normal"
    $smtpServer = "smtpserver.domain.com"
    $emailFrom = "John Smith "
    $emailTo = "John Smith "

    # Create a fresh variable to collect the results. You can use this to output as desired
    $SessionList = "ACTIVE MEMBER SERVER SESSIONS REPORT – " + $today + "`n`n"

    # Query Active Directory for computers running a Server operating system, use only 1 of the next 3 methods and comment out the others

    # 1. To query by a static list of servers, use this next line to populate the $Servers variable
    #$Servers = Get-Content serverlist.txt

    # 2. To query by every server in the domain, use this next line to populate the $Servers variable
    #$Servers = Get-ADComputer -Filter {OperatingSystem -like "*server*"}

    # 3. To query by every server under a specific OU, use these next few lines to populate the $Servers variable
    $strDomain = Get-ADDomain | select -expand DistinguishedName
    $strOU = "ou=servers,ou=HR,"
    $strFQDN = $strOU + $strDomain
    $Servers = (Get-ADComputer -SearchBase $strFQDN -filter * )

    # Loop through the list to query each server for login sessions
    ForEach ($Server in $Servers) {
    $ServerName = $Server.Name

    # When running interactively, uncomment the Write-Host line below to show which server is being queried
    Write-Host "Querying $ServerName"

    # Run the qwinsta.exe and parse the output
    $queryResults = (qwinsta /server:$ServerName | foreach { (($_.trim() -replace "s+",","))} | ConvertFrom-Csv)

    # Pull the session information from each instance
    ForEach ($queryResult in $queryResults) {
    $RDPUser = $queryResult.USERNAME
    $sessionType = $queryResult.SESSIONNAME

    # We only want to display where a "person" is logged in. Otherwise unused sessions show up as USERNAME as a number
    If (($RDPUser -match "[a-z]") -and ($RDPUser -ne $NULL)) {
    # When running interactively, uncomment the Write-Host line below to show the output to screen
    # Write-Host $ServerName logged in by $RDPUser on $sessionType
    $SessionList = $SessionList + "`n`n" + $ServerName + " logged in by " + $RDPUser + " on " + $sessionType
    }
    }
    }

    # Send the report email
    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -SmtpServer $smtpServer -Body $SessionList -Priority $priority

    # When running interactively, uncomment the Write-Host line below to see the full list on screen
    $SessionList

    Reply

Leave a Comment