Date/Time User Properties

One of the enhancements of the 1.0.5 release is more attributes being exposed in their native formats. For example, AD cmdlets automatically convert the properties which should be date/time to the DateTime time so you don’t have to worry about the conversions and can just work with them.

Let’s see which Date/Time attributes my account has:

Get-QADUser "Dmitry Sotnikov" -IncludeAllProperties | Get-Member -MemberType NoteProperty | where {$_.Definition -like "*DateTime*" } | Format-List Name, Definition

Name : accountExpires
Definition : System.DateTime accountExpires=12/31/9999 11:59:59 PM

Name : badPasswordTime
Definition : System.DateTime badPasswordTime=10/29/2007 1:22:06 PM

Name : createTimeStamp
Definition : System.DateTime createTimeStamp=6/16/2004 3:59:22 PM

Name : lastLogoff
Definition : System.DateTime lastLogoff=1/1/1601 12:00:00 AM

Name : lastLogon
Definition : System.DateTime lastLogon=10/30/2007 12:04:22 PM

Name : lockoutTime
Definition : System.DateTime lockoutTime=1/1/1601 12:00:00 AM

Name : modifyTimeStamp
Definition : System.DateTime modifyTimeStamp=10/29/2007 12:20:24 AM

Name : pwdLastSet
Definition : System.DateTime pwdLastSet=8/27/2007 4:09:54 PM

Name : whenChanged
Definition : System.DateTime whenChanged=10/29/2007 12:20:24 AM

Name : whenCreated
Definition : System.DateTime whenCreated=6/16/2004 3:59:22 PM

Let’s see what I was doing in the command above:

  1. I retrieved my user object using Get-QADUser and supplying the name.
  2. Used –IncludeAllProperties to make the cmdlet retrieve all AD attributes and not just the default set (which would not have: createTimeStamp and modifyTimeStamp).
  3. Used Get-Member and Where to only leave Property members of the DateTime type.
  4. Formatted the output as a list with the names and definitions (type and value).

Note that you can operate DateTime values for filtering too.

For example, to see a list of accounts which never logged on this year you would do:

$threshold = (Get-Date).AddYears(-1)
Get-QADUser -IncludedProperties lastLogonTimestamp | where { $_.lastLogonTimestamp -le $threshold }

Pretty straight-forward, right? 😉


  • To have lastLogonTimestamp replicated between DCs the domain should be in Windows 2003 mode.
  • If your domain is still in Windows 2000 mode, you have to query for lastLogon from each DC (for every user), as lastLogon is a non-replicated attribute.
  • lastLogonTimestamp is updated each 14 days by default (in reality it is more often):

Tags: , , , , , ,


2 Responses to “Date/Time User Properties”

  1. 1 James July 8, 2011 at 3:51 pm

    Get-QADUser is not a PowerShell command!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

October 2007
« Sep   Nov »

%d bloggers like this: