none
How to find last successful login and user on a domain

    Question

  • Hello all,

    So I'm trying to find a easier or automated way to find the last user to log on all servers on my domain, we do audit login attempts. So I was wondering if there's a command to specify a DC and it would list me all servers and last person to log on each of them.

    If someone can put me on the right direction I would appreciate!

    Thanks!

    Thursday, December 15, 2016 2:53 PM

All replies

  • Thursday, December 15, 2016 3:26 PM
  • Do you mean the last person to logon to a member server, a DC, or any computer? Also, you mean users logging into the computer locally, or using a domain account?

    Active Directory does not keep track of which user logs into which computer. You can query AD for any user's last logon time, but not which computer they used.

    If you are talking about logging in with domain accounts, and you want to track all logons, one solution is a logon script that logs the date, time, user name, and local computer name. The logon script would be configured in a Group Policy, and could be as simple as the following batch file:

    @echo off
    echo %date% %time%,Logon,%UserName%,%ComputerName% >> \\MyServer\MyShare\LogTimes.log

    All users would need write access to the shared log file. Each logon would result in one line appended to the file. The resulting file is comma delimited, so it can be read by Excel for analysis. You could sort by computer and date.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 15, 2016 4:33 PM
  • Hello Richard,

    We found security breaches on a lot of servers (physical and VM) on our domain, the problem is, in the past we didn't keep track of who are the server's owners so now we need to find who is using those servers and for what purpose.

    So we have more than 200 servers worldwide that may represent a threat to our security, and I don't have the time to check server by server who is accessing it and for what reason, so I needed this script to at least identify who is logging on them.

    That logon script is a good idea, all active servers users would be identified that way... 

    Thursday, December 15, 2016 5:29 PM
  • You can try using this free Last logon reporter tool if it helps you to resolve your concern.

    Also, please check this blog which should be worth reading in your case - https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

    Friday, December 16, 2016 6:40 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 23, 2016 7:12 AM
    Moderator