Managing a network of users and computers in an enterprise environment can be challenging. One crucial aspect of network management is tracking when users or computers last logged in. This information is vital for security, troubleshooting, and resource allocation.
This blog post will explore various methods to find the last logon time for Active Directory users and computers.
Table of Contents
What is the Last Logon Time Source?
In Active Directory, two attributes are primary sources of last logon time information for user or computer accounts:
- lastLogon: This attribute records the last time a user logged onto the domain from any computer. It is not replicated between domain controllers, meaning each domain controller may have a different value for this attribute.
- This situation can make it challenging to accurately determine the actual last logon time, especially in multi-domain environments.
Related post. Configuring Active Directory Sites and Subnets.
- lastLogonTimestamp: This attribute is introduced to address the challenges associated with the “lastLogon” attribute. It is replicated between domain controllers, making it a more reliable source of last logon information.
- However, there is a catch. The “lastLogonTimestamp” attribute is not updated in real time. Instead, it is updated only every 14 days (by default), providing a somewhat outdated but consistent value across all domain controllers.
- This delay in updates is to reduce replication traffic.
To get the most accurate last logon time for a user account in Active Directory, you would typically use the “lastLogonTimestamp” attribute. Because of the update delay, it might not always reflect the very latest logon activity. Still, it offers a reasonable compromise between accuracy and efficiency.
When using PowerShell or other methods to query last logon times, it’s a good practice to use the “lastLogonTimestamp” attribute for its reliability unless you have specific reasons to use the “lastLogon” attribute.
Alternative logon time-related attributes were introduced in Windows Server 2008 (AD Schema objectVersion=44). These are:
- msDS-LastFailedInteractiveLogonTime — time of the last failed interactive login attempt.
- msDS-LastSuccessfulInteractiveLogonTime — the time of the last successful interactive login attempt.
Related post. Active Directory Schema Update.
However, these attributes are not enabled by default because they can cause a huge replication burden to the Active Directory. So enabling them is a matter of careful planning. Also, they only track interactive login attempts.
So, in the interest of this tutorial, we’ll stick with the lastLogon and lastLogonTimestamp attributes.
Finding Last Logon Time in ADUC
The Active Directory Users and Computers (ADUC) snap-in could be your first bet if you’re checking a few computers or users’ last logon time. ADUC is available on domain controllers and computers with the Remote Server Administration Tools (RSAT).
- Open the Active Directory Users and Computers console. Press WIN+R and run dsa.msc.
- Click View → Advanced Features. This step enables the advanced features, including the Attribute Editor tab.
- Locate the user or computer and open its properties.
- Go to the Attribute Editor tab and find the lastLogOn and lastLogOnTimeStamp attributes.
Finding Last Logon Time using NET USER
The net user command is a quick and straightforward option when checking the last logon time for a domain or local user. Here’s how you can use it:
To get started, open Command Prompt with administrative privileges.
Once the Command Prompt is open, run the following net user commands depending on whether you’re querying a local or domain user.
For example, if you’re interested in the domain user account named “ebrown,” you would run:
net user ebrown /domain| findstr "Last"
If you’re checking a local user account, remove the /domain switch.
net user june| findstr "Last"
Finding Last Logon Time using DSQUERY
Another method to find the last logon time is by using DSQUERY. With it, you query the domain and return selected attributes, including lastLogonTime and lastLogonTimeStamp.
Related post. How to Get User Attributes from Active Directory?.
For example, this command shows the last logon time for the user ebrown.
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=ebrown))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0
Or, if you want to list all users, run this command instead.
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr sAMAccountName lastLogon lastLogonTimestamp -limit 0
The limitation of this method is the lastLogonTime and lastLogonTimeStamp values are shown in FileTime. You must do further processing to convert them to a regular date and time format.
Finding Last Logon Time using Active Directory PowerShell
You can also use PowerShell to get the user’s last domain logon time. For this, you need to use the PowerShell Active Directory module. Install this module and import it into your PowerShell session:
Import-Module ActiveDirectory
Find the Last Logon Time of an AD User or Computer
To find the last logon time of a domain user account, run the command:
Get-ADUser -Identity ebrown -Properties LastLogon, LastLogonTimestamp
As you can see, the result shows the timestamp format is not easily understandable because it is in a file time format. To make it readable, let’s convert the timestamp format on the fly like so:
Get-ADUser -Identity ebrown -Properties LastLogon, LastLogonTimestamp |
Select-Object SamAccountName, Name,
@{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } },
@{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }
To get the same information about a domain computer, change the cmdlet to Get-ADComputer.
Get-ADComputer -Identity DB1 -Properties LastLogon, LastLogonTimestamp |
Select-Object SamAccountName, Name,
@{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } },
@{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }
Find Inactive AD Users and Computers
Administrators should also inventory inactive users and computers for possible housekeeping. Here are the PowerShell commands.
To find all users whose last logon timestamp is older than 90 days.
$oldest = (Get-Date).AddDays(-30)
Get-ADUser -Filter { LastLogonTimeStamp -lt $oldest } -Properties LastLogon, LastLogonTimestamp |
Select-Object SamAccountName, Name,
@{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } },
@{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }
To get the same information for domain computers, replace the Get-ADUser cmdlet with the Get-ADComputer cmdlet.
Get-ADComputer -Filter { LastLogonTimeStamp -lt $oldest } -Properties LastLogon, LastLogonTimestamp |
Select-Object SamAccountName, Name,
@{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } },
@{n = 'LastLogonTimeStamp'; e = { [DateTime]::FromFileTime($_.LastLogonTimeStamp) } }
The problem with the above method is that the filter does not include computers or users with empty LastLogon and LastLogonTimestamp values. To include those without a last logon value, you can use the Search-ADAccount cmdlet instead.
This command lists all inactive users in the last 30 days, controlled by the -UsersOnly switch.
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan ([timespan]::FromDays(30)) |
Select-Object ObjectClass, SamAccountName, Name, LastLogonDate
This command lists all inactive computers in the last 30 days, controlled by the -ComputersOnly switch.
Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan ([timespan]::FromDays(30)) |
Select-Object ObjectClass, SamAccountName, Name, LastLogonDate
This command lists all inactive users and computers in the last 30 days.
Get a User’s Last Logon Time from All Domain Controllers
As we said earlier, if there are several domain controllers in your domain, then their lastLogon attribute value may differ. If a user has been inactive for more than 14 days, the easiest way is to get the value of the lastLogonTimeStamp attribute from any domain controller.
However, if you don’t know which site or DC the user was last authenticated on, you must query all domain controllers in the AD to get the user’s last logon date. And because it wouldn’t make sense to query each domain controller manually, let’s use a script.
Copy the script below and save it as Get-ADUserLastLogOnTime.ps1 on your computer. You can also download this script from this Gist.
# Get-ADUserLastLogOnTime.ps1
[CmdletBinding()]
param (
[Parameter()]
[String]
$LogonName
)
Import-Module ActiveDirectory
$DCs = (Get-ADDomainController -Filter *).Name
$result = New-Object System.Collections.Generic.List[object]
foreach ($dc in $DCs) {
# "Querying DC: [$($dc)]" | Out-Default
try {
if ($aduser = Get-ADUser $LogonName -Server $dc -Properties lastlogon -ErrorAction Stop) {
$result.Add(
($aduser |
Select-Object SamAccountName, Name,
@{n = 'DC'; e = { $dc } },
@{n = 'LastLogon'; e = { [DateTime]::FromFileTime($_.LastLogon) } })
)
}
}
catch {
$_.Exception.Message | Out-Default
}
}
return $result
This PowerShell script retrieves the last logon (lastLogon) of an Active Directory (AD) user account from all domain controllers. It accepts a parameter, $LogonName, which should be the username (SamAccountName) of the user for whom you want to retrieve the last logon time.
.\Get-ADUserLastLogOnTime.ps1 -LogonName USERNAME
Conclusion
We explored various methods for finding the last logon time for Active Directory users and computers. We discussed the primary attributes, “lastLogon” and “lastLogonTimestamp,” which serve as sources of last logon time information. While “lastLogon” is not replicated between domain controllers and can lead to accuracy issues in multi-domain environments, “lastLogonTimestamp” provides a more reliable alternative with the trade-off of not being updated in real-time.
We also delved into practical methods for retrieving last logon time information, including the Active Directory Users and Computers (ADUC) snap-in, the “net user” command, DSQUERY, and PowerShell scripts. These methods allow administrators to efficiently monitor user and computer activity, identify inactive accounts, and make informed network management and security decisions.
