How to Detect Last Logon Date and Time for All Active Directory Users

by Danny Murphy
Download Lepide Active Directory Auditor
In This Article

Tracking user logon activities in Active Directory can help you to avoid security breaches by preventing unauthorized accesses. Every time a user logs on, the logon time is stamped into the “Last-Logon-Timestamp” attribute by the domain controller. Last logon time reports are essential to understanding what your users are doing. For example, with these reports you can determine the last logon time of users, and then find and disable inactive accounts; minimizing the risk of unauthorized logon attempts in the network. Such reports can also help investigate security breaches. In this article, you will see how to generate last logon reports using PowerShell scripts. You will also see how the same report can be produced faster and easier through Lepide Active Directory Auditor.

Detecting Last Logon Time with PowerShell

Start Windows PowerShell through the Start Menu or by using “Run”. You can also type “PowerShell” in the Start Menu search and press “Enter”.

Copy and run the following script to generate last logon reports on the command screen:

Import-Module ActiveDirectory

function Get-LastLogonEvents
$dcs = Get-ADDomainController -Filter {Name -like "*"}
$users = Get-ADUser -Filter *
$time = 0

foreach($user in $users)
foreach($dc in $dcs)
$hostname = $dc.HostName
$currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon
if($currentUser.LastLogon -gt $time) 
$time = $currentUser.LastLogon
$dt = [DateTime]::FromFileTime($time)
Write-Host $currentUser "last logged on at:" $dt
$time = 0
Figure : Script to detect Last Logon Date and Time of Active Directory Users

Press the “Enter” key once at the end of the script to execute it.

It shows the following output on the screen:

Figure : Output of the script

You can modify the provided script to export the output being displayed on the screen to a CSV or text file.

Track Last Logon Date and Time Lepide Active Directory Auditor

Lepide Active Directory Auditor (part of Lepide Data Security Platform) gives you detailed information about all Active Directory activities, including reports on last logon time for users. Our Active Directory auditing solution has predefined reports that help you track the last logon time of users. In the following image, you can see the user logon/logoff report. All users are displayed in the “Who” column and their corresponding logon times are available in the “When” column. You will have to sort the report to find users’ last logon time.

Figure : User successful Logon/Logoff report

As you can see, complete audit information regarding successful user logon/logoff is shown on one line. To detect the last logon date of a user, you will have to sort the report on “When” column. Start your free trial today and try it out for yourself!

Download Lepide Active Directory Auditor