How To Find Active Directory User's/Computer's Last Logon Time?

Last time a user or computer logged into a domain stored in Active Directory object attributes. To find out the last logon time for AD user or computer accounts, there are a number of tools that an administrator can use.

Contents

Toggle

• How to Check the User/Computer Last Logon Date in Active Directory
• Use the ADUC snap-in to check the last time a user or computer logged on
• Get the Last Logon Date and Time of an AD User or Computer using PowerShell
  • Find 90+ days inactive users and computers
  • Query all DCs in AD with PowerShell script

How to Check the User/Computer Last Logon Date in Active Directory

When a user or computer logs on to a domain, the logon time is written to the lastLogon and lastLogonTimestamp attributes of the corresponding AD object. What are the differences between these attributes?

• The lastLogon attribute value is updated when the account interactively logs on to AD on the domain controller used for authentication (%logonserver%). It is not replicated between domain controllers, meaning each domain controller may have a different value for this attribute.
• The lastLogonTimestamp attribute is an analogue of the lastLogon attribute, but unlike lastLogon, it is replicated to other domain controllers in AD. To minimize replication traffic in AD, the value of this attribute is replicated for up to 14 days.

This means that to get real-time information about when an account last logged into AD, you must get the lastLogon attribute value. However, this requires you to query all the domain controllers in the forest.

If a tolerance of ±19 days is acceptable to you, then you can simply get the lastLogonTimestamp from the nearest domain controller. Therefore, in most cases, the lastLogonTimestamp attribute is used to determine the user’s last logon time, providing a somewhat outdated but consistent latest logon activity across all domain controllers.

Use the ADUC snap-in to check the last time a user or computer logged on

You can use the Active Directory Users and Computers (ADUC) snap-in (requires RSAT installation) to check the last time a user or computer logged on.

1. Press WIN+R and run dsa.msc to open the ADUC console
2. Click View → Advanced Features. This step enables the Attribute Editor tab in ADUC.
3. Locate the user or computer and open its properties.
4. Go to the Attribute Editor tab and find the lastLogOn and lastLogOnTimeStamp attributes.

Get the Last Logon Date and Time of an AD User or Computer using PowerShell

It is more convenient to use PowerShell to get the user’s last domain logon time. For that, use the Get-ADUser cmdlet from the PowerShell Active Directory module.

For example, to find out the last logon time of a specific domain user account:

Get-ADUser -Identity ebrown -Properties LastLogon, LastLogonTimestamp

In order to convert the lastlogon value from timestamp format to a human readable, use the following command:

Get-ADUser -Identity ebrown -Properties LastLogon, LastLogonTimestamp | Select-Object SamAccountName, Name, @{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } }, @{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }

To view the last logon time for a domain computer, change the cmdlet to Get-ADComputer.

Get-ADComputer -Identity DB1 -Properties LastLogonTimestamp | Select-Object SamAccountName, Name, @{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }

Note. The lastlogontimestamp value will be empty if the user or computer has never logged on to the AD domain. The LastLogon value for such an account is always 12/31/1600 4:00:00 PM.

Find 90+ days inactive users and computers

To find inactive users and computers that have not logged on to a domain for more than 90 days, use the PowerShell pipe:

$oldest = (Get-Date).AddDays(-90) Get-ADUser -Filter { LastLogonTimeStamp -lt $oldest } -Properties LastLogonTimestamp | Select-Object SamAccountName, Name, @{n = ‘LastLogonTimeStamp’; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }

To get the same information for domain computers, replace the Get-ADUser cmdlet with the Get-ADComputer cmdlet.

Get-ADComputer -Filter { LastLogonTimeStamp -lt $oldest } -Properties LastLogonTimestamp | Select-Object SamAccountName, Name, @{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }

Query all DCs in AD with PowerShell script

To query all the DCs in AD to get the current LastLogon value for a specific account, use the PowerShell script. Copy the script below and save it as Get-ADUserLastLogOnTime.ps1 on your computer. You can also download this script from this Gist.

# Get-ADUserLastLogOnTime.ps1 [CmdletBinding()] param ( [Parameter()] [String] $LogonName ) Import-Module ActiveDirectory $DCs = (Get-ADDomainController -Filter *).Name $result = New-Object System.Collections.Generic.List[object] foreach ($dc in $DCs) { # “Querying DC: [$($dc)]” | Out-Default try { if ($aduser = Get-ADUser $LogonName -Server $dc -Properties lastlogon -ErrorAction Stop) { $result.Add( ($aduser | Select-Object SamAccountName, Name, @{n = ‘DC’; e = { $dc } }, @{n = ‘LastLogon’; e = { [DateTime]::FromFileTime($_.LastLogon) } }) ) } } catch { $_.Exception.Message | Out-Default } } return $result

This PowerShell script retrieves the last logon (lastLogon) of an Active Directory (AD) user account from all domain controllers. It accepts a parameter, $LogonName, which should be the username (SamAccountName) of the user for whom you want to retrieve the last logon time.

.\Get-ADUserLastLogOnTime.ps1 -LogonName USERNAME

Hint. You can also use the built-in NET USER command to quickly find a domain user’s last logon time:

net user ebrown /domain| findstr "Last"