Tracking user logon activities in Active Directory can help you to avoid security breaches by preventing unauthorized accesses. Every time a user logs on, the logon time is stamped into the “Last-Logon-Timestamp” attribute by the domain controller. Last logon time reports are essential to understanding what your users are doing. For example, with these reports you can determine the last logon time of users, and then find and disable inactive accounts; minimizing the risk of unauthorized logon attempts in the network. Such reports can also help investigate security breaches. In this article, you will see how to generate last logon reports using PowerShell scripts. You will also see how the same report can be produced faster and easier through LepideAuditor for Active Directory.

Detecting Last Logon Time with PowerShell

Start Windows PowerShell through the Start Menu or by using “Run”. You can also type “PowerShell” in the Start Menu search and press “Enter”.

Copy and run the following script to generate last logon reports on the command screen:

Import-Module ActiveDirectory

function Get-LastLogonEvents
$dcs = Get-ADDomainController -Filter {Name -like "*"}
$users = Get-ADUser -Filter *
$time = 0

foreach($user in $users)
foreach($dc in $dcs)
$hostname = $dc.HostName
$currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon
if($currentUser.LastLogon -gt $time)
$time = $currentUser.LastLogon
$dt = [DateTime]::FromFileTime($time)
Write-Host $currentUser "last logged on at:" $dt
$time = 0
Figure : Script to detect Last Logon Date and Time of Active Directory Users

Press the “Enter” key once at the end of the script to execute it.

It shows the following output on the screen:

Figure : Output of the script

You can modify the provided script to export the output being displayed on the screen to a CSV or text file.

A Simpler Way – LepideAuditor for Active Directory

LepideAuditor for Active Directory gives you detailed information about all Active Directory activities, including reports on last logon time for users. The auditing solution has predefined reports that help you track the last logon time of users. In the following image, you can see the user logon/logoff report. All users are displayed in the “Who” column and their corresponding logon times are available in the “When” column. You will have to sort the report to find users’ last logon time.

Figure : User successful Logon/Logoff report

As you can see, complete audit information regarding successful user logon/logoff is shown on one line. To detect the last logon date of a user, you will have to sort the report on “When” column. Start your free trial today and try it out for yourself!

Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.