I’ve had some luck looking at the timestamps on the ntuser.dat
file in the profile directories.
Q: (name of it, accessed times of files "ntuser.dat" of it) of folders of folder "C:\Users"
This again is highly susceptible to other processes on the machine potentially manipulating the file but in general since that stores the HKCU hive it shouldn’t normally be used unless that user is logged on.
If your working with domain users, you could pull the lastLogonTimestamp
attribute out of AD for the user. This (again, should) get updated upon non-cached credential authentication and should replicate across DCs in the environment. Another attribute, lastLogon
exists but depending upon how your AD is deployed in the environment, it may not work for you as it does not replicate across DCs. To use that attribute you would have to pull it from the DC used for the authentication… or enumerate all of your DCs and take the maximum value discovered as the real last logon.
Get-ADUser -Identity <USERNAME_HERE> -Properties LastLogonTimeStamp | Select Name, @{Name='LastLogonTimeStamp';Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}
or borrowing a little from @brolly33
@({concatenation "," of ("%22" & string value of property "sid" of it & "%22") of (select objects "sid from Win32_UserProfile" of wmi) whose (set of ("S-1-5-20";"S-1-5-19";"S-1-5-18") does not contain string value of property "sid" of it)}) | Get-ADUser -Properties LastLogonTimeStamp | Select Name, @{{Name='LastLogonTimeStamp';Expression={{[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}