AD Powershell script to generate last log in details for a specific user for last 60 days

Sign in to vote

Active Directory tracts the last logon for each user on each DC (the last time each user authenticated to each DC), but that is all. It does not track logon history.

You could use logon scripts configured in Group Policy to log every logon to a log file. This would serve as a database of logons that you could query or read into Excel and filter.

Richard Mueller - MVP Enterprise Mobility (Identity and Access)

Tuesday, January 23, 2018 12:39 PM

0

Sign in to vote

Hello Richard ,

thanks for the quick reply ..but unfortunately we don't have auditing enabled which would keep the data as events . couple of days is as far as the security events are available .

I have been informed below command could do the job

get-aduser -filter {lastlogondate -gt "1/12/2017"} -Properties lastlogondate | select Name,LastLogonDate | sort name

but it's generic where as I am looking for a specific user..

any idea ??

Tuesday, January 23, 2018 12:45 PM

1

Sign in to vote

Or, if the user login on just one computer, u can query SYSTEM event log to retrieve informations

Param (

 [int]$Days = 60
 )
 cls
 $Result = @()
 Write-Host "Gathering Event Logs, this can take awhile..."
 $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days)
 If ($ELogs)
 { Write-Host "Processing..."
 ForEach ($Log in $ELogs)
 { If ($Log.InstanceId -eq 7001)
   { $ET = "Logon"
   }
   ElseIf ($Log.InstanceId -eq 7002)
   { $ET = "Logoff"
   }
   Else
   { Continue
   }
   $Result += New-Object PSObject -Property @{
    Time = $Log.TimeWritten
    'Event Type' = $ET
    User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
   }
 }
 $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
 Write-Host "Done."
 }
 Else
 { Write-Host "Problem :)"
 }

Tuesday, January 23, 2018 12:46 PM

0

Sign in to vote

Thanks Mekac ,

is it a ps script ??

Tuesday, January 23, 2018 12:48 PM

0

Sign in to vote

For a specific user use the -Identity parameter, and there is no need to filter or sort.:

Get-ADUser -Identity "jsmith" -Properties lastlogondate | select Name, LastLogonDate

But there will be one result.

Richard Mueller - MVP Enterprise Mobility (Identity and Access)

Tuesday, January 23, 2018 12:50 PM

0

Sign in to vote

Thanks Richard..but I am looking for logon events for last month or so..the above command only gives the last successful login..

Tuesday, January 23, 2018 1:01 PM

0

Sign in to vote

hello Mekac ,

i have ran it on my personal machine which generates report going back to 12/01/2018..so not sure..is it because i have system event present until the date..!!!

Tuesday, January 23, 2018 1:02 PM

0

Sign in to vote

sure u have eventId 7001 before 12/01/2018 in your system log?

Tuesday, January 23, 2018 1:37 PM

0

Sign in to vote

My point in my first reply is that AD only keeps track of the last logon. There is no further logon history available, unless you enable auditing of logon events, or you use a logon script to append logon events to a shared log file.

A logon script to append logon information to a shared log file could be as simple as the following batch file:

@echo off
echo %date% %time%,%UserName%,%ComputerName% >> \\MyServer\MyShare\LogUsers.log

This creates a comma delimited file that can read into Excel, where it can be filtered and sorted.

Richard Mueller - MVP Enterprise Mobility (Identity and Access)

Proposed as answer by Albert LingMicrosoft contingent staff Wednesday, January 24, 2018 5:22 AM

Tuesday, January 23, 2018 1:57 PM

0

Sign in to vote

yes ,the last event 7001 is present on 12/01/2018..so i guess that's the reason the event goes as far as the date.

Tuesday, January 23, 2018 2:01 PM

0

Sign in to vote

Thanks a lot Richard..I will check and see if we can amend the logon script to include the same.

Tuesday, January 23, 2018 2:02 PM

0

Sign in to vote

Hi,

I'm checking how the issue is going, was your issue resolved?

And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

Appreciate for your feedback.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Wednesday, January 24, 2018 5:23 AM

0

Sign in to vote

hi Joelbarlow ,

much appreciate your guidance here..

for the script , I am getting below error

"

dsquery failed:'-attr' is an unknown parameter.
type dsquery /? for help.PS C:\Users\*******>

2. Thanks for sharing http://gallery.technet.microsoft.com/scriptcenter/1596233c-2f4e-40a5-83cf-4d3265b01d26..&
https://www.lepide.com/how-to/track-last-logon-date-and-time-for-active-directory-users.html..

but i am looking to query in one domain only ..one user

so appreciate if you can provide me the script to get the details.

Wednesday, January 24, 2018 7:38 AM

0

Sign in to vote

Get-ADUser -Filter *| Where LastLogonDate -le (Get-Date).AddDays(-60) | Out-File C:\Text.txt

This Should work, and generate a .txt file with the information.

Wednesday, January 24, 2018 10:48 AM

0

Sign in to vote

Thanks m8..

but I think the above will generate the report for all the users which would be time consuming and slow the server..so is there anyway we can filter out for a single user ..??

Wednesday, January 24, 2018 10:53 AM

0

Sign in to vote

Hi Surya,

Based on my research, I'd like to explain that Richard's logon script is the easiest way to achieve your requirement. The following article for your reference:
Record Logon / Logoff Activities on Domain Servers and Workstations Using Group Policy
https://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx

In addition, the LastLogonTimeStamp and LastLogonDate is calculated by LastLogon, and their values are different. But even LastLogon is not equal to the actual logon time. You can have a try to run the following command to connect to a shared folder with a specific user credential and see if his LastLogon is updated:
net use \\sharefolder /user:userA
For more information, you may refer to this link:
Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

By the way, to determine the user logon time by event log, the correct Event is 4624 with LogonType 2 or 10, you can use the following command to get this event:
Get-WinEvent -FilterHashtable @{LogName = 'Security'; Id = 4624}
You can refer to the following link for details:
4624(S): An account was successfully logged on.
https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624

If you have any updates during this process, please feel free to let me know.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Edited by Albert LingMicrosoft contingent staff Wednesday, January 24, 2018 11:38 AM
Proposed as answer by Albert LingMicrosoft contingent staff Tuesday, January 30, 2018 6:20 AM

Wednesday, January 24, 2018 11:27 AM

0

Sign in to vote

Thanks a lot Albert..

I will follow through the instruction and advise you on the outcome..

Wednesday, January 24, 2018 12:31 PM

0

Sign in to vote

Hi,

Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Edited by Albert LingMicrosoft contingent staff Friday, January 26, 2018 5:08 AM

Friday, January 26, 2018 5:08 AM

0

Sign in to vote

Hi,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.

Appreciate for your feedback.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Tuesday, January 30, 2018 6:20 AM

0

Sign in to vote

hello Albert ,

First of all thank you for helping me out here..

Though i didn't get what I was looking for , but it helps ..So I am thankful for it .

:)

Wednesday, January 31, 2018 12:47 PM

0

Sign in to vote

Hi Surya,

If there is anything else we can do for you, please feel free to post in the forum.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Thursday, February 1, 2018 1:46 AM

0

Sign in to vote

Thanks Albert

Thursday, February 1, 2018 11:49 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

AD Powershell script to generate last log in details for a specific user for last 60 days

Question

All replies