Verifying remote VPN users are authenticating with the domain
One daunting task is Verifying remote VPN users are authenticating with the domain. Since you can only set a maximum of 50 cached logons via group policy (GPO) you may want to proactively monitor your user logons to prevent possible future headaches for both you and your users. Now you could go into AD users and computers and manually check the Attribute editor but this is time consuming especially if you have hundreds to thousands of users like in the image below.
The script below includes importing the PowerShell module for ActiveDirectory (AD) in case that you don’t already have it installed.
Import-Module ActiveDirectory function Get-ADUsersLastLogon() { $dcs = Get-ADDomainController -Filter {Name -like "*"} $users = Get-ADUser -Filter * $time = 0 $exportFilePath = "c:\lastLogonTemp.csv" $columns = "name,username,datetime" Out-File -filepath $exportFilePath -force -InputObject $columns foreach($user in $users) { foreach($dc in $dcs) { $hostname = $dc.HostName $currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon if($currentUser.LastLogon -gt $time) { $time = $currentUser.LastLogon } } $dt = [DateTime]::FromFileTime($time) $row = $user.Name+","+$user.SamAccountName+","+$dt Out-File -filepath $exportFilePath -append -noclobber -InputObject $row Import-Csv $exportFilePath | Export-Csv c:\lastLogon.csv -NoTypeInformation $time = 0 } } Get-ADUsersLastLogon del c:\lastLogonTemp.csv
I came across the original post that I based my powershell script above on HERE
This will create a CSV file that has the information formatted into columns for easier sorting. You will also notice that unused accounts will report 12/31/1600 as it’s date. In a later post I’ll go into automating this method of Verifying remote VPN users are authenticating with the domain and automatically emailing yourself a list of users who have not been authenticating to the domain. This will come in handy if someone leaves without notice or has done something to their machine that is interfering with properly authenticating and communicating with the domain.