How To Find A User's Last Logon Time - Active Directory Pro

In this article, I’ll show you how to accurately get the last logon date in Active Directory for users or computers. The Active Directory last logon date is often needed for security audits and to track when a user last logged on to their computer or network.

In this article:

• LastLogon vs LastLogonTimeStamp vs LastLogonDate
• Find Last Logon in Active Directory
• Option 1. Last Logon Date Report using AD Pro Toolkit
• Option 2. Last Logon Date Report using PowerShell

LastLogon vs LastLogonTimeStamp vs LastLogonDate

It’s important to understand the difference between the logon attributes as they are used for different reasons. When using PowerShell you will see three different lastlogon properties.

LastLogon

When a user authenticates to the network this attribute is updated on the domain controller that performs the authentication and is not replicated.

When to use? You should use the LastLogon attribute to get an accurate report of a users last logon. The problem is you will need to get the LastLogon attribute from each domain controller to show the real Last Logon date. This is automatically done with the AD Pro Toolkit, examples below.

LastLogonTimeStamp

The LastLogonTimeStamp attribute also records the timestamp of when a user logs onto their computer or network. This attribute is replicated to all domain controllers but it has a delay (9-14 days behind the current date).

When to use? The LastLogonTimeStmap should be used to find stale accounts in Active Directory. Due to the delayed timestamp value, this attribute is not intended for creating last logon reports.

LastLogonDate

LastLogonDate is not an attribute its the calculated value of LastLogonTimeStamp when using PowerShell.

When to use? Use LastLogonDate when using PowerShell and you want an easy to read format of the LastLogonTimeStamp.

How to Find Last Logon and LastLogonTimeStamp in Active Directory

Step 1. Open Active Directory Users and Computers

Step 2. Browse and open a user account

Step 3. Click on the attribute editor tab

Step 4. Scroll down to view the lastLogon and LastLogonTimeStamp attributes

Option 1. Last Logon Date Report using AD Pro Toolkit

In this example, I’ll get all users last logon date using the AD Pro Toolkit.

You can download a trial of this tool and try the report for free.

Step 1. Click on “Logon Reports” then click “True Last Logon Report”.

Step 2. Click “Run” to get the last logon date for all users or click “Browse” to select an OU or group.

Step 3. Optionally, you can click the “Time” button to change the time range.

Step 4. Click “Run” to start the report.

Step 5. Click export to export the report to csv, excel or pdf.

Note: If you have a lot of users and multiple domain controllers this report can take several minutes to complete.

Below is an example Last Logon Report from the toolkit. You can click “Export” and save to CSV, Excel, or PDF file.

You can see in the screenshot above the tool returns the users name, account name, domain controller name, and the last logon date. You can click on any column to sort the results in ascending or descending order.

The AD last logon Reporter eliminates all the manual work of checking the lastlogon attribute for all users across all domain controllers. It would be very time consuming and difficult to return the real last logon time without this tool.

Our Active Directory Reporting Tool includes over 200 built-in reports.

Option 2. Last Logon Date Report using PowerShell

In this example, I’ll use PowerShell to get the last logon date for all users in Active Directory.

Tip: Keep in mind to get the TRUE last logon date with PowerShell you would need to run the script on all domain controllers as the value is not replicated. The AD Pro Toolkit automatically gets the real last logon date and time from all domain controllers.

Step 1: Log into a Domain Controller

If you don’t run this from a DC, you may need to import the Active Directory PowerShell modules.

Step 2: Use Get-ADUser PowerShell cmdlet

Open PowerShell and use the command below to get all domain users LastLogonDate.

Get-ADUser -filter * -Properties "LastLogonDate" | select name, LastLogonDate

You should get similar results to the screenshot below.

The above example gets the last logon date for all users, for a single user run the command below.

Get-ADUser -identity robert.allen -Properties "LastLogonDate" | select name, LastLogonDate

If you add the lastlogon date you may notice some users are blank. This is because lastlogon is not replicated and the user may have never authenticated against the DC.

Get-ADUser -filter * -Properties LastLogonDate,lastlogon | select name, lastlogon,LastLogonDate

To accurately track user logins with Active Directory you would need to run the above commands on all domain controllers and display the most recent last logon value.

Get Last Logon 30 days

To get users that have logged on in the last 30 days click the time button and select “Last 30 Days”

Summary

In this guide, I walked through three methods on how to get the Active Directory Last Logon for domain user accounts.

It is important to review the last logon date for user accounts on a monthly basis to find stale user accounts. This can also be used to check the last time a user authenticated to the network. The PowerShell get-aduser cmdlet works great to get user’s last logon details from a single domain controller. To automatically collect the last logon details from all Domain Controllers I recommend the AD Pro Toolkit.

If you have questions or comments, please leave a comment below.

Related Articles

• The LastLogonTimeStamp Attribute – What it was designed for and how it works
• View 365 Sign-in Logs