locked
AD Powershell script to generate last log in details for a specific user for last 60 days RRS feed

  • Question

  • Hello Guys ,

    i am looking for a script which can generate last log in details for a specific user for last 60 days..

    anyone aware..

    Thanks & Regards

    Surya Mohanty

    Tuesday, January 23, 2018 12:31 PM

All replies

  • Active Directory tracts the last logon for each user on each DC (the last time each user authenticated to each DC), but that is all. It does not track logon history.

    You could use logon scripts configured in Group Policy to log every logon to a log file. This would serve as a database of logons that you could query or read into Excel and filter.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 23, 2018 12:39 PM
  • Hello Richard ,

    thanks for the quick reply ..but unfortunately we don't have auditing enabled which would keep the data as events  . couple of days is as far as the security events are available . 

    I have been informed below command could do the job

    get-aduser -filter {lastlogondate -gt "1/12/2017"} -Properties lastlogondate | select Name,LastLogonDate | sort name

    but it's generic where as I am looking for a specific user..

    any idea ??

    Tuesday, January 23, 2018 12:45 PM
  • Or, if the user login on just one computer, u can query SYSTEM event log to retrieve informations

    Param (
    
     [int]$Days = 60
     )
     cls
     $Result = @()
     Write-Host "Gathering Event Logs, this can take awhile..."
     $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days)
     If ($ELogs)
     { Write-Host "Processing..."
     ForEach ($Log in $ELogs)
     { If ($Log.InstanceId -eq 7001)
       { $ET = "Logon"
       }
       ElseIf ($Log.InstanceId -eq 7002)
       { $ET = "Logoff"
       }
       Else
       { Continue
       }
       $Result += New-Object PSObject -Property @{
        Time = $Log.TimeWritten
        'Event Type' = $ET
        User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
       }
     }
     $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
     Write-Host "Done."
     }
     Else
     { Write-Host "Problem :)"
     }

    Tuesday, January 23, 2018 12:46 PM
  • Thanks Mekac ,

    is it a ps script ??

    Tuesday, January 23, 2018 12:48 PM
  • For a specific user use the -Identity parameter, and there is no need to filter or sort.:

    Get-ADUser -Identity "jsmith" -Properties lastlogondate | select Name, LastLogonDate

    But there will be one result.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 23, 2018 12:50 PM
  • Thanks Richard..but I am looking for logon events for last month or so..the above command only gives the last successful login..
    Tuesday, January 23, 2018 1:01 PM
  • hello Mekac ,

    i have ran it on my personal machine which generates report going back to 12/01/2018..so not sure..is it because i have system event present until the date..!!!

    Tuesday, January 23, 2018 1:02 PM
  • sure u have eventId 7001 before 12/01/2018 in your system log?
    Tuesday, January 23, 2018 1:37 PM
  • My point in my first reply is that AD only keeps track of the last logon. There is no further logon history available, unless you enable auditing of logon events, or you use a logon script to append logon events to a shared log file.

    A logon script to append logon information to a shared log file could be as simple as the following batch file:

    @echo off
    echo %date% %time%,%UserName%,%ComputerName% >> \\MyServer\MyShare\LogUsers.log
    

    This creates a comma delimited file that can read into Excel, where it can be filtered and sorted.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 23, 2018 1:57 PM
  • yes ,the last event 7001 is present on 12/01/2018..so i guess that's the reason the event goes as far as the date.
    Tuesday, January 23, 2018 2:01 PM
  • Thanks a lot Richard..I will check and see if we can amend the logon script to include the same.
    Tuesday, January 23, 2018 2:02 PM
  • Hi,

    I'm checking how the issue is going, was your issue resolved?

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 24, 2018 5:23 AM
  • hi Joelbarlow ,

    much appreciate your guidance here..

    for the script , I am getting below error

    "

    dsquery failed:'-attr' is an unknown parameter.
    type dsquery /? for help.PS C:\Users\*******>

    2. Thanks for sharing http://gallery.technet.microsoft.com/scriptcenter/1596233c-2f4e-40a5-83cf-4d3265b01d26..&
    https://www.lepide.com/how-to/track-last-logon-date-and-time-for-active-directory-users.html..

    but i am looking to query in one domain only ..one user

    so appreciate if you can provide me the script to get the details.

    Wednesday, January 24, 2018 7:38 AM
  • Get-ADUser -Filter *| Where LastLogonDate -le (Get-Date).AddDays(-60) | Out-File C:\Text.txt

    This Should work, and generate a .txt file with the information.

    Wednesday, January 24, 2018 10:48 AM
  • Thanks m8..

    but I think the above will generate the report for all the users which would be time consuming and slow the server..so is there anyway we can filter out for a single user ..??

    Wednesday, January 24, 2018 10:53 AM
  • Hi Surya,

    Based on my research, I'd like to explain that Richard's logon script is the easiest way to achieve your requirement. The following article for your reference:
    Record Logon / Logoff Activities on Domain Servers and Workstations Using Group Policy
    https://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx

    In addition, the LastLogonTimeStamp and LastLogonDate is calculated by LastLogon, and their values are different. But even LastLogon is not equal to the actual logon time. You can have a try to run the following command to connect to a shared folder with a specific user credential and see if his LastLogon is updated:
    net use \\sharefolder /user:userA
    For more information, you may refer to this link:
    Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    By the way, to determine the user logon time by event log, the correct Event is 4624 with LogonType 2 or 10, you can use the following command to get this event:
    Get-WinEvent -FilterHashtable @{LogName = 'Security'; Id = 4624}
    You can refer to the following link for details:
    4624(S): An account was successfully logged on.
    https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624

    If you have any updates during this process, please feel free to let me know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 24, 2018 11:27 AM
  • Thanks a lot Albert..

    I will follow through the instruction and advise you on the outcome..

    Wednesday, January 24, 2018 12:31 PM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Albert


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 26, 2018 5:08 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 30, 2018 6:20 AM
  • hello Albert ,

    First of all thank you for helping me out here..

    Though i didn't get what I was looking for , but it helps ..So I am thankful for it .

    :)

    Wednesday, January 31, 2018 12:47 PM
  • Hi Surya,

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 1, 2018 1:46 AM
  • Thanks Albert
    Thursday, February 1, 2018 11:49 AM