How to Find Active Directory Users Last Logon Time (Using ADUC). Active Directory is a central component of many Windows based networks and serves as a database of users, groups, and computers that system administrators manage. One crucial task for system admins is to identify inactive user accounts in Active Directory and remove them to improve security and reduce clutter in the directory. To accomplish this, admins need to find the last logon time of a user in the Active Directory.
Several methods exist to achieve this, including the Active Directory Users and Computers console, LDAP queries, and PowerShell commands. In this topic, we look into these methods in more detail and show how system admins easily find the last logon time of a user in Active Directory.
Shall we continue with article How to Find Active Directory Users Last Logon Time (Using ADUC).
How to Find Active Directory Users Last Logon Time (Using ADUC)
3. Locate the user in the AD tree and access its properties.
4. Click on the Attribute Editor tab.
5. Look for the last login attribute in the list of attributes, which displays the user’s most recent domain login time.
Note. The lastLogon and lastLogonTimestamp characteristics on the screenshot above are comparable. So what distinguishes them from one another?
Logon Timestamp Attributes
- When a user logs into a domain, the lastLogon attribute is changed. However, it only alters the domain controller that provided other domain controllers with the unreplicated user’s authentication. As a result, we must check this attribute on each domain controller, if several domain controllers are spread across various Active Directory sites and subnets. Then we must compare the information obtained. This attribute’s value for a user on several DCs may vary or even be zero (if the user is an unauthenticated user on this DC);
- When a user signs into a domain controller, the lastLogonTimeStamp attribute is likewise modified, and we replicate it to other DCs. However, it takes a while to replicate this property (we only reproduce it, if the current value is fourteen (14) days or older than the prior one). As a result, the information in this property for a particular DC might need to be more relevant.
Beginning with the Windows Server 2008 AD schema version (AD Schema objectVersion = 44), we utilize multiple alternate attributes related to login. These include:
- msDS-LastFailedInteractiveLogonTime: displays the time of the most recent unsuccessful login attempt.
- msDS-LastSuccessfulInteractiveLogonTime: displays the time of the most recent successful login attempt. It’s essential to check the AD schema version to determine whether updating the Active Directory schema is necessary.
These properties, which we use to track user interactive login attempts, are often duplicated between AD domain controllers. They do not, however, automatically gather any information about user preferences.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Enabling Logon Properties Using Group Policy
To make these features available:
- Enable the Group Policy Object (GPO) setting “Provide information about previous logons to client computers for domain controllers” located at Computer Configuration > Administrative Templates > System > KDC.
- Create a GPO with this parameter.
- Assign the GPO to the Domain Controllers container.
- Convert the desired date to the ToFileTime format. For example, if we want to find users who have not logged in for over 90 days, we use PowerShell command to get the date’s value:
(Get-Date).AddDays(-90).ToFileTime()
This snippet of code provides a value in epoch time like 132988354159396418 based on the specified date.
2. Insert the FileTimeDate value into the LDAP query:
console.log( 'Code is Poetry' );
3. Open the AD Users and Computers console, right click on the Saved Queries node, and click New, then Query.
4. Name the query and click the Define Query button.
5. Choose Custom Search from the drop down list and switch to the Advanced tab.
6. Copy the LDAP query into the Enter LDAP Query field.
7. Save the query by clicking OK > then confirm with another OK.
8. Select the query in Saved Queries and press F5 to refresh the object list. The ADUC console displays a flat list of users who last logged into the domain for more than 90 days.
9. Remove or disable the inactive domain user accounts directly from the AD console.
Find the Last Logon Time Using CMD
Next with article How to Find Active Directory Users Last Logon Time (Using ADUC) is to learn how to find Last Logon Time using CMS. Using the net or dsquery tools from the command line, we may discover when the user last logged into the domain. For example, run the following command inside a command prompt terminal (we don’t require domain admin rights to obtain AD user information):
net user administrator /domain | findstr "Last"
If we want to get the last login time of a local user, we need to remove the /domain parameter:
net user User | findstr "Last"
We also get the last logon time using dsquery. For example:
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=admin))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0
The main problem is that the attributes lastLogonTimestamp and lastLogon are in timestamp format in AD, and we need to convert them to a normal time format.
We use this command to find all inactive users, for example, for 10 weeks:
dsquery user domainroot -inactive 10
Find the Last Logon Time Using PowerShell
We also use PowerShell to get the user’s last domain logon time. For this, we need to use the PowerShell Active Directory module and PowerShell commands. First, open PowerShell and run the Import-Module cmdlet to import the Active Directory module:
Import-Module ActiveDirectory
If you are having problems importing the module, ensure we have the Microsoft Remote Server Administration Tools (RSAT) package installed. Once confirmed, run the following snippet with the Get-ADUser cmdlet to get the last logon time for a specific user:
Get-ADUser -Identity username -Properties LastLogon | Select-Object -Property Name, LastLogon
Replace the username value in the above command with the username of the user whose last logon time we want to retrieve. This Select-Object cmdlet displays the name of the user and their last login time in a readable format.
Get-ADUser -Filter {Name -eq "username"} -Properties * |
Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}
Note that the LastLogon attribute may not be updated immediately when a user logs in. Active Directory updates this attribute every 14 days by default, so the value displayed may not reflect the most recent login time. If we need more accurate information, we use other attributes like LastLogonTimestamp or msDS-LastSuccessfulInteractiveLogonTime, updated more frequently.
Find the Inactive Users Within a Set Amount of Days
To find accounts that have not logged in for a specific amount of days, such as 90 days, we use a PowerShell command that filters user accounts based on their LastLogonTimestamp attribute. Here’s an example command:
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | Select-Object Name, LastLogonTimestamp
This command searches for accounts that have been inactive for 90 days or more and select only those that are user accounts. It then displays the names of those user accounts and their LastLogonTimestamp attribute value, representing the last time the user logged in to the domain.
We adjust the TimeSpan parameter to search for accounts that have been inactive for a different number of days. For example, if we want to search for accounts that have been inactive for 60 days, we set TimeSpan to 60.00:00:00.
Note that AD updates the LastLogonTimestamp attribute after a user logs in or out of the system, so the value may be partially accurate. Also, this attribute is replicated among domain controllers only every 9-14 days by default, so we may only get up-to-date information for some user accounts.
Export to CSV File
To export the list of inactive user accounts to a CSV file, we modify the PowerShell command provided earlier to include the Export-CSV cmdlet. Here’s an example command:
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 |
where {$_.ObjectClass -eq 'user'} |
Select-Object Name, LastLogonTimestamp |
Export-CSV C:\InactiveUsers.csv -NoTypeInformation
This command searches for accounts that have been inactive for 90 days or more and select only those that are user accounts. It then determines the Name and LastLogonTimestamp properties of those user accounts and exports them to a CSV file located at “C:\InactiveUsers.csv”.
The “-NoTypeInformation” parameter specifies that the CSV file should not include the .NET type information for each object, which makes the file easier to read. After running this command, we open the CSV file with Excel or any other spreadsheet application to view the list of inactive user accounts and their last logon timestamps.
Thank you for reading the article How to Find Active Directory Users Last Logon Time (Using ADUC). We shall conclude it now.
How to Find Active Directory Users Last Logon Time (Using ADUC) Conclusion
In conclusion, finding the last logon time of a user in Active Directory is an essential task for system admins, as it allows them to identify inactive user accounts that can be disabled or removed to improve security and reduce clutter in the directory. We achieve this using various methods, including the Active Directory Users and Computers console, LDAP queries, and PowerShell commands.
With the right tools and techniques, system admins quickly and easily find the last logon time of a user in Active Directory and take appropriate actions to manage their directory effectively.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
