SharePoint: Generate and report AD account metrics in SharePoint Part 3: Getting still more complex AD metrics
Article Series
- Part 1: How to get basic AD Metrics
- Part 2: Getting more complex AD metrics
- Part 3: Getting still more complex AD metrics < you are here
- Part 4: How to store AD metrics in SharePoint 2010
- Part 5: How to present AD metrics in a SharePoint 2010 dashboard
Introduction
In the first posting of this series, we explored the basic process for generating AD metrics and saving them to a file. In the second posting, we explored generating somewhat more complex metrics. In this third posting in this series, we will extract and categorize AD account last logons using the simplest approach.
Obtaining user account last logons provides immediate business value to system administrators, management and customers, as they show infrastructure usage. Capturing and archiving these values supports trending analysis and more accurate budget planning.
The AD account attribute that will be used is LastLogonDate. This attribute is a conversion of the LastLogonTimeStamp long integer value into a friendly time format that is formatted according to your local time zone and settings. The LastLogonTimeStamp attribute is replicated (by default) between 9 to 14 days among the domain controllers and thus LastLogonDate as well.
LastLogon Metrics
Here is the script to be added. Let's look at the first metric: users who have logged in within the past 365 days.
# This line gets the number of enabled user accounts that
# have logged in within the past 365 days. This time, we
# filter the array using a time value, which is obtained
# by subtracting 365 from the variable holding the time
# value obtained at the start of this script.
$365Days = $DateTime.AddDays(-365)
[array]$LastLogon365EnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $365Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 365 days: " + $LastLogon365EnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString "" test
It follows the same general approach used previously. Repeat this approach for the other date categories, including: 180, 90, 45, and 30 days.
$180Days = $DateTime.AddDays(-180)
[array]$LastLogon180DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $180Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 180 days: " + $LastLogon180DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
$90Days = $DateTime.AddDays(-90)
[array]$LastLogon90DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $90Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 90 days: " + $LastLogon90DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
$45Days = $DateTime.AddDays(-45)
[array]$LastLogon45DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $45Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 45 days: " + $LastLogon45DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
$30Days = $DateTime.AddDays(-30)
[array]$LastLogon30DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $30Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 30 days: " + $LastLogon30DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
$15Days = $DateTime.AddDays(-15)
[array]$LastLogon15DaysEnabledUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -ge $15Days}
$StringToWrite = "Total number of enabled users who have logged in within the past 15 days: " + $LastLogon15DaysEnabledUserAccounts.Count
Add-Content $FilePathString $StringToWrite
Add-Content $FilePathString ""
Summary
This posting, the third in this series, has presented script for extracting additional Active Directory user account metrics. It uses the LastLogonDate attribute. The default replication frequency determines the default window of accuracy of LastLogonDate . The default replication frequency works out to be approximately 9-14 days. This accuracy is good enough for time windows of 30, 60, 90 days, and so on, but is insufficiently accurate when seeking time windows of 1, 2, or 7 days. In a later posting, we'll explore how to improve this accuracy and thus obtain more immediate usage metrics.
References
- TechNet: Ask the Directory Services Team: “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”
- Windows Dev Center: Last-Logon-Timestamp attribute
- WindowsITPro: Use Get-ADUser to Find Inactive AD Users
- Dmitry’s PowerBlog: How to Schedule a PowerShell Script
- Teusje: Windows Server: logging users logon and logoff via PowerShell
Notes
- tbd