How to Find Active Directory User’s/Computer’s Last Logon Time?

The Active Directory administrator must periodically find and disable inactivate objects in AD. In this article, we will show how to get the last logon time for the AD domain user and find accounts that have been inactive for more than 90 days.

How to Get a User’s Last Logon Time Using ADUC?

You can find out the last logon time for the domain user with the ADUC graphical console (Active Directory Users and Computers).

  1. Run the console dsa.msc;
  2. In the top menu, enable the option View > Advanced Features;
    active directory last logon computer
  3. Find the user in the AD tree and open its properties;
  4. Click on the tab Attribute Editor;
  5. In the list of attributes, find lastLogon. This attribute contains the time the user was last logged in the domain.
    active directory computer last logon

Note. You can see two similar attributes on the screenshot above — lastLogon and lastLogonTimestamp. What’s the difference between them?

  • lastLogon attribute is updated when the user logs on to the domain. But it only changes on the domain controller that authenticated the user, and is not replicated to other domain controllers. Therefore, if there are multiple domain controllers at different AD sites, you will have to check this attribute on each of them and then compare the resulting data. The value of this attribute on different DCs for the user can be different or even zero (if the user has never been authenticated on this DC);
  • lastLogonTimeStamp attribute is also changed when the user logs on to the domain controller and is replicated to other DCs. However, replication of this attribute takes a long time (this attribute is replicated only if its value is 14 days or older than the previous one). Therefore, the data in this attribute on a specific DC may not be relevant.

Find Last Logon Time Using CMD

You can find out the time the user last logged into the domain from the command line using the net or dsquery tools.

Open a command prompt (you don’t need domain administrator privileges to get AD user info), and run the command:

net user administrator /domain| findstr "Last"

You got the user’s last logon time: 08.08.2019 11:14:13.

last logon computer active directory

You can also get the last logon time using dsquery. For example:

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=administrator))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0

The main problem is that the attributes lastLogon and lastLogonTimestamp are stored in timestamp format in AD, and you need to additionally convert it to a normal time format.

get-aduser last logon computer

You can also use this command to find all users who are inactive, for example, for 10 weeks:

dsquery user domainroot -inactive 10

Find Last Logon Time Using PowerShell

You can also use PowerShell to get the user’s last domain logon time. For this, you need to use the Active Directory module for Windows PowerShell. Install this module and import it into your PowerShell session:

Import-Module ActiveDirectory

To find the last logon time for the domain administrator account, run the command:

Get-ADUser -Identity administrator -Properties LastLogon

The cmdlet returned the time in Timestamp format. To convert it to a normal time, use the following command:

Get-ADUser -Filter {Name -eq "administrator"} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}

powershell last logon computer

Using PowerShell, you can display the last logon time for all enabled domain users:

Get-ADUser -filter {enabled -eq $true} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}|Sort-Object LastLogon -Descending

powershell script to get last logon user on computer

Or you can find users who are inactive for more than 90 days:

$date1= (Get-Date).AddDays(-90)

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | ft

After identifying inactive accounts, we recommend you disable those users’ accounts, wait a few weeks, and then delete the accounts if no problems have been reported. You can disable inactive users using the Disable-ADAccount cmdlet:

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | Disable-ADAccount

Similarly, you can get the last logon time for computer objects in a domain. The following command will list all computers that have been inactive for more than 90 days:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

Hint. You can get the detailed user logon history only from the security event logs of domain controllers.

Get Last Logon for User across All Domain Controllers

As we said earlier, if there are several domain controllers in your domain, then the lastlogon value on them may differ. If a user has been inactive for more than 14 days, the easiest way is to get the value of the lastLogonTimeStamp attribute from any domain controller. However, if you don’t know which site or DC the user was last authenticated on, you will have to query all domain controllers in the AD to get the user’s last logon date.

The following PowerShell script loop through all domain controllers in the domain and gets the value of the lastLogonTime attribute from each of them. The result is exported to a CSV file:

$userlogonname='bjackson'

$csvoutputfile='c:\ps\lastlogon_from_all_dcs.csv'

$resultlogonhistory=@()

Import-Module ActiveDirectory

$DCs=(Get-ADDomainController -Filter *).Name

 foreach ($DC in $DCs) {

 Try {

$aduser=Get-ADUser $userlogonname -Server $DC -Properties lastlogon -ErrorAction Stop

     $resultlogonhistory +=New-Object -TypeName PSObject -Property ([ordered]@{

    'User' = $userlogonname

    'DC' = $dc

    'LastLogon' = [datetime]::FromFileTime($aduser.'lastLogon')

})

}

Catch {

Write-host "Can’t connect DC $($dc)!"

}

}

$resultlogonhistory|Export-CSV -path $csvoutputfile -NoTypeInformation -Delimiter "," -Encoding UTF8

active directory computer last logon user

If you need to quickly find the maximum user LastLogon value from all DCs, use the following one-liner:

[datetime]::FromFileTime((Get-ADDomainController -Filter * | foreach {Get-ADUser 'bjackson' -Properties LastLogon -Server $_.Name | select LastLogon} | Measure-Object -Property LastLogon -Maximum).Maximum)
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.