To help clean up inactive directory objects, strengthen security, and meet compliance requirements, you may need to pull a report of the last logon times for each system in your environment. Computer last logon reports help you discover unused local accounts, which become a security liability when left stagnant. And if your organization’s dev workflow involves constant provisioning and deprovisioning of cloud servers and VMs, these reports help keep your directory current and organized.
When most people think about pulling last logon reports, they think of writing a quick script in PowerShell to query Active Directory® (AD). This solution works well in a traditional Windows®-only environment, but because it’s difficult to reliably bind Mac® and Linux® systems to AD, it’s unusual to pull a single last logon report from AD for all the systems in a mixed-OS environment. Below, we’ll address some of the nuances of the AD approach and then explore a solution that remotely manages and reports on all three major operating systems at once.
Why Last Logon Reports Matter
Computer last logon reports are essential for security and regulatory compliance, and they help keep your environment in order. These reports can provide two similar-but-distinct pieces of information: an individual system user account’s last logon time and the last logon time of any user account to a given machine. Let’s look more closely at some of the situations that require these reports.
Organizing Your Directory
Your approach to IT asset management probably accounts for replacing aging laptops and deprovisioning those systems at the local level. But what happens to the directory objects that used to represent them? With a report that tells you the last time a system contacted your directory, you can quickly identify and eliminate any dormant computer objects, keeping the directory current and organized. This is especially useful if you need to manage large numbers of cloud VMs and servers as part of a DevOps workflow.
Additionally, inactive user accounts may exist on active systems. These accounts may be disabled or locked due to password expiration, stalled updates, or other security configurations, or they may have never logged on or been activated in the first place. You need a last logon report to begin removing these accounts from their respective systems and from the directory.
Security & Compliance
Last logon reporting isn’t just a matter of efficiency — it helps prove that your organization meets security baselines required for compliance. PCI standards, for example, require that all systems accounts inactive for 90 days be removed. Unused accounts present an unnecessary attack vector for credential thieves. These accounts could also be accessed by disgruntled former employees whose credentials may still be valid.
Some organizations may be tempted to keep old accounts as a way of preserving projects that a former employee was storing, but the best practice is to safely transfer that data and then remove the account.
Note: Learn about leveraging a cloud directory service to achieve and demonstrate PCI compliance→
Certain user issues sometimes result from a faulty connection or failed sync between their workstation and the central directory. If you’re looking into a problem with a password change or a stalled update, it can be helpful to know the last time the system contacted the directory for authentication.
Pulling Last Logon Reports With AD
Although the fundamentals of pulling a computer last logon report from Active Directory are fairly straightforward, there’s some debate within the AD admin community about the best way to script it in PowerShell. The properties lastLogon and lastLogonTimestamp will return different values, and you may have to manually account for which individual domain controller the system last authenticated to, as well as convert the output to a human-readable date format. There’s also a potential issue with accuracy caused by the default sync frequency: the reported results may have a +/- 14-day margin of error.
And even once you sort out those nuances, you’re probably still only getting a last logon report for your Windows machines. This leaves many admins looking for a simpler reporting solution that also accommodates Mac and Linux systems.
System Reporting With a Cloud Directory Service
In the modern cloud era, IT teams are finding that system reporting is only one of many components of Active Directory that haven’t aged well. Many are surprised to find out that an entirely new, cloud-hosted alternative directory service exists. JumpCloud® Directory-as-a-Service® serves as an authoritative central identity provider for virtually all modern IT resources, both on-prem and in the cloud, including SaaS apps, servers, networks, cloud infrastructure, along with Mac, Windows, and Linux systems.
This cloud directory service requires zero on-prem hardware, and can be remotely managed via a secure web console. It includes a PowerShell module to pull and customize detailed, cross-OS system reports (including computer last logon reports), and the System Insights™ feature offers deeper, near-real-time access to OS-level data, including hardware configurations and usage, network connections, installed applications, and more. If this alternative to last logon reporting with AD sounds appealing, learn more about cross-platform system management with JumpCloud.