Get a list of active users is pretty trivial with powershell, however with multiple AD controllers, things become more complicated. There are effective two fields LastLogon and LastLogonTimestamp. Depending on replication and AD server, the values may be different.

The following Powershell script will query each ADC and get the most recent login date:

To export the list in CSV, simply use it like this:

ADUserLastLogon.ps1 | Export-CSV -Path "C:\temp\ADUsers.csv" -NoTypeInformation

For more information about each attribute, see below:


This attribute is not replicated and is maintained separately on each domain controller in the domain. To get an accurate value for the user’s last logon in the domain, the Last-Logon attribute for the user must be retrieved from every domain controller in the domain. The largest value that is retrieved is the true last logon time for that user.


Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [ current_time – msDS-LogonTimeSyncInterval ], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.