How to Check Active Directory User Login History

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory

To enable Logon Auditing in Active Directory, follow the steps below.

  1. On your domain controller, run Group Policy Management Console (Press Win+R -> Type “GPMC.exe” -> Click “Run”).
  2. Create a new policy and link this new GPO to an organizational unit (OU) containing the computers where you’d like to track user activity.
  3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Then go to each of the following:
  • System > Audit Security State Change — Set this to “Success.”
  • Audit Policies > Logon/Logoff — Set both “Audit Logon” and “Audit Logoff” to “Success” and “Failure.”
  • Audit Policies > Logon/Logoff > Audit — Set “Other Logon/Logoff Events” to “Success” and “Failure.”

To check user login history in Active Directory using Powershell, follow these steps: 

  1. Open the PowerShell ISE as Administrator
  2. Run the following script, adjusting the timeframe:

# Find DC list from Active Directory 
$DCs = Get-ADDomainController -Filter * 

# Define time for report (default is 1 day) 
$startDate = (get-date).AddDays(-1) 

# Store successful logon events from security logs with the specified dates and workstation/IP in an array 
foreach ($DC in $DCs){ 
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {($_.eventID -eq 4624) -or ($_.eventID -eq 4625) }}  

# Crawl through events; print all logon history with type, date/time, status, account name, computer, and IP address if the user logged on remotely 

 foreach ($e in $slogonevents){ 
   # Logon Successful Events 
   # Local (Logon Type 2) 
   if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){ 
     write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] 
   # Remote (Logon Type 10) 
   if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){ 
     write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18] 
    # Logon Failed Events 
   # Local (Logon Type 2) 
   if (($e.EventID -eq 4625 ) -and ($e.ReplacementStrings[8] -eq 2)){ 
     write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Failed`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] 
   # Remote (Logon Type 10) 
   if (($e.EventID -eq 4625 ) -and ($e.ReplacementStrings[8] -eq 10)){ 
     write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Failed`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18] 

  1. Review the results:
How to Check Active Directory User Login History - Native Auditing
  1. Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Logon Activity” → Depending on which logon events you want to review, select “Successful Logons,” "Failed Logons" or “All Logon Activity” → Click “View.”
  2. Review the report:
How to Check Active Directory User Login History - Netwrix Auditor

Get Active Directory User Login History with or without PowerShell Scripts

When investigating account lockouts, suspicious access, or performing regular access management audits, one of the first things to do is review user activity. Logon events can often tell you the problem immediately and whether the user is accessing appropriate resources. For this data to be available, you must have enabled appropriate audit policies on the network computers where you want to track user activity.

Active Directory auditing stores user logon history details in event logs on domain controllers. Therefore, the most straightforward option to get user logons is to filter out all Security events in the Windows Event Viewer and find the target user account and logon type. In Windows Server 2008 through Windows Server 2016, the event ID for a user logon event is 4624. These events contain data about the Active Directory user, time, computer and type of user logon. If you need to know the logon session time, you can tie an event to logoff event IDs 4634 and 4647 using the logon ID (a unique number between reboots that identifies the logon session).

Another way to get this information with native tools is using PowerShell. The PowerShell script provided above lets you get a user login history report without manually crawling through the Windows logs. That script uses the main command to get the logs is Get-EventLog. However, running a PowerShell script whenever you need a user login history report can be a pain, as processing time can be substantial, even in small AD environments.

Netwrix Auditor for Active Directory is an easier way to monitor user activity and strengthen the security of your Active Directory and AD-reliant systems. With this solution, you can get a clear and detailed Active Directory login history report for a specific user or all users with just a few clicks. You can even subscribe to this report, which will be delivered automatically by email according to your specific schedule. This security platform is not limited to user login auditing; it includes a wide range of pre-configured reports, flexible alerts, and Google-like interactive search that empower you to quickly investigate incidents and proactively enhance security across your on-premises, cloud, or hybrid IT environment. 

Related How-tos