LastLogon Report for AD LastLogonTimestamp and Exchange OnPremise Attributes

Question

Hi, as I am not that good in writing custom reports I wanted to ask if its possible to get a report that can be configured for different time ranges (30, 60, 90 etc.. days) for showing inactive accounts. There is already a report, but it just involves the LastLogonTimestamp attribute. There are occasions where this is not updated, but the mailbox is still in use.

Could you give me a hint or an custom report for this?

Thank you very much in advance!

Answer 1

Hello,

When a user signs in to the on-premises Exchange mailbox, the lastLogonTimestamp and lastLogon properties of the corresponding on-premises user are updated. The Inactive users built-in report (located in the Reports/All Reports/Users container by default) considers the following properties when determining whether the user is inactive:

• whenCreated
• lastLogonTimestamp
• lastLogon
• pwdLastSet

As such, the Inactive users report takes into account sign-ins to the on-premises Exchange mailboxes.

Comments

Thanks for the feedback, but this seems no to be true. We have many occasions where there is a LastLogon on the Mailbox, but no LastLogonTimestamp in near present or not at all. So I come to the conclusion that this will be updated everytime, too.

Could you maybe create a report that takes both data in - LastLogonTimestamp and Exchange On Premise Mailbox Last Logon ?

Thank you very much!

---

Hello,

The lastLogon and lastLogonTimestamp properties are both used to write the date/time of the latest logon. However, in Active Directory, the properties are updated and replicated differently. For details, have a look at the following Microsoft forum topic: https://learn.microsoft.com/en-us/answers/questions/698776/last-logon-and-lastlogon-timestamp-difference. As we mentioned, the Inactive users built-in report considers values of both properties when determining whether the user is inactive.

---

I think you dont understand what I mean. I dont mean the normal "last logon" attribute. I mean the one that gets shown in the exchange section in the web ui. There is often the point that this is quite new and the lastlogontimestamp is 3 months ago. We had moments where we deleted users and the mailbox was still used. Can you please check if you could give me a report that is checking the Lastlogontimstamp and also included the exchange last logon property that is displayed in the exchange section? Please check the attached screenshots. These are 2 different values. Sometimes the Exchange Last Logon will be quite new and the LastLogontimestamp differs a few months. So I need these 2 values to determine the usage of the account/mailbox.

---

Hello,

Thank you for clarifying. The Last logon date/time displayed in the Exchange properties of a user mailbox does not always reflect the date/time when the mailbox owner accessed the mailbox. The value is updated even when mailbox delegates or administrators access the mailbox. Considering that, please specify what users must be displayed in the report. Specifically, should inactive Active Directory users (lastLogon and lastLogonTimeStamp properties are older than the specified number of days) with active mailboxes (Last logon in Exchange properties is not older than the specified number of days) be displayed in the report?

---

Thanks for the info. Yes you are correct with your last sentence regarding the report. Inactive Active Directory users (lastLogon and lastLogonTimeStamp properties are older than the specified number of days) with active mailboxes (Last logon in Exchange properties is not older than the specified number of days) should be displayed in the report. Thank you very much.

---

Hello,

Thank you for specifying. The approach involves requesting the mailbox Last logon date/time for each user. To get the date/time, the mailbox parameters must be requested. This operation is time-consuming even in on-premises Exchange. Generating the report that requests the mailbox Last logon date/time for each user will take a significant time, making the report useless. As such, we suggest a slightly different approach where the mailbox Last logon date/time is saved to a custom date attribute and then used in the report. To save the mailbox Last logon date/time, create a scheduled task configured for the User object type. The task will check whether the user has an Exchange mailbox. If the condition is met, the below PowerShell script will be executed. The script saves the mailbox Last logon date/time to a custom date attribute whose schema name is specified in the $dateAttributeName variable. Finally, the task configuration should look like this:

$dateAttributeName = "adm-CustomAttributeDate1" #TODO: modify me

# Get last logon date from Exchange
$mailboxParams = $Context.TargetObject.GetMailParameters()
$lastLogonDate = $mailboxParams.UsageInfo.LastLogonDate

if ($lastLogonDate -eq [DateTime]::MinValue)
{
    $lastLogonDate = $NULL
}

# Update the user
$Context.TargetObject.Put($dateAttributeName, $lastLogonDate)
$Context.TargetObject.SetInfo()

Then modify the Inactive users built-in report or copy it and modify the new report. In the report configuration, replace the script used to generate the report with the one below. In the script, the $mailboxLastLogonDatePropertyName variable specifies the schema name of the custom date attribute used to store the mailbox Last logon date/time. Must be the same as the value of the $dateAttributeName variable in the script executed by the scheduled task.

$mailboxLastLogonDatePropertyName = "adm-CustomAttributeDate1" #TODO: modify me

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.AddRange(@(
        "userAccountControl", "accountExpires"))
}

# Set search criteria
$threshold = (Get-Date).AddDays(- $days)
$criteria = New-AdmCriteria "user" {(mailboxType -ne "shared") -and (whenCreated -lt $threshold) -and ((lastLogonTimestamp -empty $True) -or (lastLogonTimestamp -eq "unspecified") -or (lastLogonTimestamp -lt $threshold)) -and ((lastLogon -empty $True) -or (lastLogon -eq "unspecified") -or (lastLogon -lt $threshold)) -and ((pwdLastSet -eq "unspecified") -or (pwdLastSet -lt $threshold))}
$Context.DirectorySearcher.AddCriteria($criteria)

# Build the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $user = $Context.BindToObjectBySearchResult($searchResult)

        # Check mailbox last logon date
        $mailboxLastLogonDate = $user.GetPropertyValue($mailboxLastLogonDatePropertyName)

        if($mailboxLastLogonDate -ge $threshold)
        {
            continue
        }

        # Check Active Directory and Entra ID for most recent activity
        $inactivityDuration = $user.GetPropertyValue("adm-InactivityDuration")

        if($inactivityDuration -lt $days)
        {
            continue
        }

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if (-not $styleHighlighted)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}