Domain users last login timestamp finding query RRS feed

  • Question

  • Hi,

    I have windows server 2008 R2 domain controller. I need to find all users based on last logon timestamp. what are things i need to do?

    Dhakshinamoorthy Balasubramanian
    Friday, December 23, 2011 4:05 PM


All replies

  • Do you want to determine the lastLogonTimeStamp value for all users, or do you want to query for all users where lastLogonTimeStamp is greater than or less than some value?

    To retrieve lastLogonTimeStamp for all users in an OU (or domain), you can use dsquery * at the command prompt of a domain controller, but the values are large integers (not converted into dates):

    dsquery * ou=West,dc=MyDomain,dc=com -Filter "(&(objectCategory=person)(objectClass=user))" -attr sAMAccountName lastLogonTimeStamp -Limit 0

    You can use w32tm.exe /ntte to convert any large integer into the corresponding date in the local time zone. For example:

    w32tm /ntte 129223000000000000


    results in the following (in my time zone)

    149563 15:46:40.0000000 - 6/29/2010 9:46:40 AM

    For better you will need to use a VBScript or PowerShell script. You can ask in the Scripting Guys forum:


     Actually, best might be to use Joe Richards' free oldcmp utility, which can query for users based on lastLogonTimeStamp:


    Richard Mueller - MVP Directory Services
    Friday, December 23, 2011 4:38 PM
  • I would do this with an LDAP filter.  Open ADUC and right click the domain name.  Select FIND.   In the FIND box select CUSTOM SEARCH.  Then click the ADVANCED tab.   You will create your LDAP query here.  (Alternatively, you can use third party software such as Hyena for this....)

     Consider the following:


    You will notice that lastLogonTimeStamp is actually stored in "Integer 8" format.  You will need a program to convert a real date/time to Integer 8 format for use in LDAP queries.   (The user account control statements are excluding Disabled Users and Users that have non-expiring passwords) 

    Here are the scripts I wrote to convert a date/time to Integer 8 format for the use in LDAP filters.    :


    @echo off

    set /p _date=Date to Convert(2/5/2004 4:58:58 PM):

    echo %_date%

    cscript date2Integer8.vbs "%_date%"





    Option Explicit

    Dim dtmDateValue, dtmAdjusted, lngSeconds, str64Bit
    Dim objShell, lngBiasKey, lngBias, k

    If (Wscript.Arguments.Count <> 1) Then
        Wscript.Echo "Required argument <DateTime> missing"
        Wscript.Echo "For example:"
        Wscript.Echo ""
        Wscript.Echo "cscript DateToInteger8.vbs ""2/5/2004 4:58:58 PM"""
        Wscript.Echo ""
        Wscript.Echo "If the date/time value has spaces, enclose in quotes"
    End If

    dtmDateValue = CDate(Wscript.Arguments(0))

    ' Obtain local Time Zone bias from machine registry.
    Set objShell = CreateObject("Wscript.Shell")
    lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
        & "TimeZoneInformation\ActiveTimeBias")
    If (UCase(TypeName(lngBiasKey)) = "LONG") Then
        lngBias = lngBiasKey
    ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
        lngBias = 0
        For k = 0 To UBound(lngBiasKey)
            lngBias = lngBias + (lngBiasKey(k) * 256^k)
    End If

    ' Convert datetime value to UTC.
    dtmAdjusted = DateAdd("n", lngBias, dtmDateValue)

    ' Find number of seconds since 1/1/1601.
    lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)

    ' Convert the number of seconds to a string
    ' and convert to 100-nanosecond intervals.
    str64Bit = CStr(lngSeconds) & "0000000"
    Wscript.Echo "Integer8 value: " & str64Bit


    Friday, December 23, 2011 8:42 PM
  • ALso, just an FYI......  LastLogonTimeStamp is a "loosely" replicated attribute that may or (most likely) may not represent the actaul last logon time of the user or computer.   The attribute can be as many as 14 days off the actual logon. 

    If you need the actual last logon time of an account you would need to query EVERY domain controller in the domain for the "LastLogon" attribute of the account.   This attribute is not replicated at all between DC's.

    What I do is run my query above which returns a subset of accounts that I then run through another process which does in fact query every DC in the domain for the actual last logon time of all the accounts. 



    Friday, December 23, 2011 8:48 PM

  • I'd use a tool like adfind http://www.joeware.net/freetools/tools/adfind/index.htm or the Quest powershsll cmdlets as they do a better job of decoding the dates.

    adfind -default -f "&(objectcategory=person)(objectclass=user)" samaccountname lastlogontimestamp -tdc -nodn

    Alternately you can use third party software True Last Logon 2.9.You can export the file in excel for report creation.You can use the trial version this will achieve what you are looking for.

    True Last Logon displays the following Active Directory information:
    --Users real name and logon name
    --Detailed account status
    --Last Logon Date & Time
    --Last Logon Timestamp (Replicated value)
    --Account Expiry Date & Time
    --Enabled or Disabled Account
    --Locked Accounts
    --Password Expires
    --Password Last Set Date & Time
    --Logon Count
    --Bad Password Count
    --Expiry Date
    --You can also query for any other attribute (Example: Description, telephone Number, custom attibutes etc)

    Refer the below link for trial version:

    Hope this helps

    Sandesh Dubey.
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, December 24, 2011 12:55 AM
  • Hi,

    You can query lastlogontimestamp attribute in AD.


    You can use lastlogin also to query, but lastlogin is not replicated to all DC, its only updated when users/computers logged on & if the lastlogin is 0 means user have never logged in.

    In addition, If you encounter any difficulties when writing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

    The Official Scripting Guys Forum!

    Hope this helps!

    Best Regards
    Elytis Cheng

    Please remember to click “Mark as Answer” on the post that

    Elytis Cheng

    TechNet Community Support

    • Marked as answer by Elytis Cheng Wednesday, December 28, 2011 6:11 AM
    Monday, December 26, 2011 8:22 AM
  • If you are looking for lastlogonTimestamp attribute (which, as mentioned earlier has limited accuracy), then you can also use the script posted at http://sgwindowsgroup.org/blogs/badz/archive/2010/03/01/querying-for-the-lastlogontimestamp-attribute-of-all-users-in-an-ou.aspx

    Otherwise, you could check the lastLogon attribute - although this will require querying all DCs in the domain. A sample script is available at https://rbeltech.wordpress.com/2011/01/17/query-last-logon-for-all-active-directory-users-in-any-domain/

    Starting with Windows Server 2008, you also can take advantage of a set of new attributes related to interactive logons. More at http://blogs.dirteam.com/blogs/jorge/archive/2008/02/10/showing-last-logon-info-at-logon-in-windows-server-2008.aspx


    • Marked as answer by Elytis Cheng Wednesday, December 28, 2011 6:11 AM
    Monday, December 26, 2011 9:19 AM
  • The following BAT write selected data to a file. It need to have a input file username.txt with all user login name, one per line.

    @echo off
    rem 20171205Michael-Norderstedt
    rem Erstellt für die lokale Nutzung auf dem AD-Controller 
    rem Dieser Bat listet das letzte Login und Datum Passwortablauf auf
    rem username.txt enthält die zu prüfenden benutzerlogin und muss vorhanden sein
    rem accountlogin.txt wird mit den Ergebnissen der "net user" Anweisung erzeugt
    rem accountcheck.txt wird mit Auszügen der accountlogin.txt erzeugt
    @echo %date% > accountlogin.txt
    @echo %date% > accountcheck.txt
    for /f "tokens=1" %%i IN (username.txt) do (
    	net user %%i >> accountlogin.txt
    for /f "tokens=1,2,3,4" %%i IN (accountlogin.txt) do (
    	if %%i==User (
    		if %%j==name ( 
    		   @echo %%k >> accountcheck.txt
    	if %%i==Full (
    		if %%j==Name ( 
    		   @echo %%k %%l >> accountcheck.txt
    	if %%i==Password (
    		if %%j==expires ( 
    		   @echo %%k Password expired >> accountcheck.txt
    	if %%i==Last (
    		if %%j==logon ( 
    		   @echo %%k Last logon  >> accountcheck.txt
    	if %%i==Account (
    		if %%j==active ( 
    		   @echo aktiv: %%k  >> accountcheck.txt
    notepad accountcheck.txt

    Tuesday, December 5, 2017 12:25 PM