How to see the last time a user used Directory Update

Directory Update has an auditing feature available that will stamp the last update date/time to extensionAttribute11. This is enabled in the Directory Update AppSettings.XML file. Look for this line in the file:

<auditingAttribute 
  enabled="true" 
  attribute="extensionAttribute11" 
  showUserLastUpdate="true" 
  text="Your last update was" />

This is configurable and you can change to a different attribute if you prefer.

So, what would you do if you want to get a report from Active Directory of all users that have (or have not) used Directory Update recently. The PowerShell extensions for Active Directory make this simple and easy.

In order to run this script, you will need to have the Windows 2012 or later Active Directory administration tools installed on your server or workstation. So, if you do not have a folder called C:\temp, then create one.

Next, open up Notepad or Notepad++ and create a new file in the c:\temp folder called Get-DirUpdateUsage.ps1. This script will look at *all* users and create a CSV file of users whose extensionAttribute11 field is empty. And, here is the script:

import-module activedirectory
$users = Get-ADUser -filter {extensionAttribute11 -notlike "*"} -properties *
$users | select displayname,department,officephone,manager,mail,extensionattribute11 | export-csv c:\temp\DirectoryUpdateNotUsed.CSV -notypeinformation

This script will create a CSV file called DirectoryUpdateNotUsed.CSV in the C:\temp folder of all users who have not used Directory Update; you will see all accounts in the Active Directory including service and administrator accounts.

Want to look at the opposite set of information? Who *has* answered their security questions? Simple, change the query parameter -notlike to just -like to see all users that do have have something in the extension attribute. Like this:

{extensionAttribute11 -notlike "*"}