Forum Discussion
Need a 5.1 script that will show the last login date, days since, and the SG's it belongs to
Here is my code so far. I don't know what I'm doing wrong, Can you please help me fix it. I plan to schedule it so it runs once per day on a server that has the proper modules installed for users that would like the information. Our account information is automatically deleted if we don't log in by so many days. I'm stuck and could really use the expertise of someone to give me some help. I've been trying for a week without asking for help but haven't been able to make it execute perfectly quite perfectly quiet yet. I'll be so happy once I'm able to get it working. If you can help me understand what I was doing wrong I'd appreciate that as well. At a later point, I'm going to add in SMTP information so it will mail out. I need to get a read-only server account for it but understand that I can do a runas with an account that has enough rights to run it.
Being my first time here, I'm hoping it falls in with the guidelines. Thank you.
Here is the desired output:
Last login date for username1: 2022-10-15 10:23:41
Days since last login for username1: 25
Security groups for username1:
- Group1
- Group2
- Group3
Last login date for username2: 2022-09-28 16:35:12
Days since last login for username2: 42
Security groups for username2:
- Group2
- Group4
- Group5
Last login date for username1: 2022-11-02 09:45:18
Days since last login for username2: 7
Security groups for username3:
- Group3
- Group6
Total usernames: 3
Here is my Code so far:
# Import the Active Directory module
Import-Module ActiveDirectory
# Define the credentials for authentication
$credentials = Get-Credential
# Define the domain controller to query
$domainController = "DC01.domain.com"
# Define an array of usernames
$usernames = @("username1", "username2", "username3")
# Loop through the array of usernames
foreach ($username in $usernames) {
# Look up the user using the SamAccountName
$user = Get-ADUser -Filter "SamAccountName -eq '${username}'" -Server $domainController -Credential $credentials
if ($user) {
# Get the last login date for the specified user from the specific domain controller
$lastLogin = $user.LastLogonTimestamp
# Get the security groups the user is a member of from the specific domain controller
$userGroups = Get-ADUser -Identity $user.SamAccountName -Server $domainController -Credential $credentials |
Get-ADGroup -Property Name | Select-Object -ExpandProperty Name
# Convert the last login date to a readable format
$lastLoginDate = [DateTime]::FromFileTime($lastLogin)
# Calculate the number of days since the last login
$daysSinceLastLogin = (Get-Date) - $lastLoginDate | Select-Object -ExpandProperty Days
# Output the last login date and the number of days since the last login for each user
Write-Host "Last login date for ${username}: ${lastLoginDate}"
Write-Host "Days since last login for ${username}: ${daysSinceLastLogin}"
# Output the security groups the user is a member of
Write-Host "Security groups for ${username}:"
foreach ($group in $userGroups) {
Write-Host "- ${group}"
}
# Check if the number of days since the last login is greater than 30
if ($daysSinceLastLogin -gt 30) {
Write-Host "WARNING: ${username} has not logged in for more than 30 days!"
}
}
else {
Write-Host "User ${username} not found in Active Directory."
}
}
# Output the count of usernames
Write-Host "Total usernames: $($usernames.Count)"
Thank you
- AzureAvengerCopper ContributorNo help?
AzureAvenger You could use the Windows Task Scheduler with a gMSA account (https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) and strip all the Credential things from the script. It will run as that account and do the AD read actions and emailing with it.
- Did that answer your question?