Get AD User not connected since 90 days

Hi guys, I’m looking to have a Dashboard listing me my AD users non connected since 90 days.
I am filtering on Event ID 4624 (Successfull login) and listening to all my servers. But how could I filter the timestamp to look only for this Event, 3 months ago at least, and not pick up active users ?

I will have some users not connected since 90 days, that’s for sure, but I’ll also get users that succesfully logged in 90 days ago, that are still currently successfully logging in…

Any ideas ?


I assume that would be inactive user/s that are still logged in, Is this correct? if so then…

In MS AD servers “Windows performance counter” that would be…

perf_counter["\Terminal Services\Inactive Sessions"]

Active users ;

perf_counter["\Terminal Services\Active Sessions"]

What I use is the following, but you might be able to work around it.

sum(//perf_counter["\Terminal Services\Active Sessions"],86400s)

You might be able to hack it to send date/time when the user logged in with how many days.

Added Info:

Couple suggestions.

1.Easiest way would be to create a GPO in this environment that will logout a user in → hour, day, 30 days. Done

2.Graylog can monitor the AccountName + Source field and find out who and where this user is still logged in.


You can see the user (i.e., greg.smith) and what device Im still logged into. .Basically if you monitoring the dashboard and the session count is really high. I would imagine then you know someone or something is still logged in and what device they are sstill logged on. just an idea

3.You can get some metrics but the widget requirs a calulation from the time the user Logged on /w count the only way I know of is using something like Zabbix and/or Grafana.

Maybe someone else here has a better idea, that all i have for ya. Hope that helps.

Hi Greg, thanks for replying.
That’s not what I meant…

I am looking to list all the users that haven’t logged in to any server since 90 days.
Inactive Sessions are something else here…

That’s why my 1st idea was to get all the Event ID 4264, select the TargetUserName, and the timestamp, and try to filter something like “if the TargetUserName has the Event ID 4264 within 90 days then do not list it, and IF NOT list it”…

That’s a mess lol

I’ve been thinking about this quite a bit and haven’t come up with something workable. It seems like the last logon time has to be saved somewhere else, or a full list of users and last logon times must be imported from the application (active directory?) on a regular basis to make the comparison.

If you do find a solution, please consider posting it.

Hey @hebval

For a list of user/s you would need a powershell script > 90days.txt file . Then send it over to Graylog. Im assuming this would be MS AD environement.


import-module activedirectory
$90Days = (get-date).adddays(-90)
Get-ADUser -properties * -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90days) -AND (passwordlastset -le $90days) -AND (enabled -eq $True) -and (PasswordNeverExpires -eq $false) -and (whencreated -le $90days)} | select-object name, SAMaccountname, passwordExpired, PasswordNeverExpires, logoncount, whenCreated, lastlogondate, PasswordLastSet, lastlogontimestamp | export-csv c:\Scirpts\90days.txt

Found that here

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.