How to Detect Every Active Directory User’s Last Logon Date


Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Open Powershell ISE.
  2. Create new script with the following code, defining the “$Path” value, and then run the script.

    $Path = 'C:\Temp\LastLogon.csv'
    Get-ADUser -Filter {enabled -eq $true} -Properties LastLogonTimeStamp | 
      
    Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | Export-Csv -Path $Path –notypeinformation

  3. Open the file produced by the script in MS Excel.

    Example Report:

  1. Run Netwrix Auditor, navigate to Reports| Active Directory | Active Directory State-in-Time | User Accounts Last Logon Time, and click “View”. 
  2. To save the report, click the "Export" button, choose “PDF”, click “Save as”, and choose a location to save it.

    Example Report:

Secure Your Infrastructure by Identifying Every User’s Last Login in Active Directory

Regularly reviewing information about every user’s last logon date in Active Directory can help you detect and remove vulnerabilities across your organization’s IT infrastructure. Each time a user logs on, the value of the Last-Logon-Timestamp attribute is fixed by the domain controller. With the last login date at hand, IT admins can readily identify inactive accounts and then disable them, thereby minimizing the risk of unauthorized attempts to log into the organization’s IT systems. Regularly auditing users’ last login dates in Active Directory is an efficient way to detect inactive accounts and prevent them from turning into bait for attackers.  

 
Netwrix Auditor for Active Directory enables IT pros to get detailed information about all activity in Active Directory, including the last logon time for every Active Directory user account. The solution includes comprehensive pre-built reports that streamline logon monitoring and help IT pros track the last time that users logged into the system. In particular, The User Accounts - Last Logon Time report lists all user accounts — both enabled and disabled — with the path and last logon time for each account. This report helps IT pros spot inactive accounts that are potential security holes because they could be used as backdoor accounts by attackers. The report subscription function enables IT admins have the report delivered by email automatically on the schedule they specify, facilitating regular review in accordance with best practices and enabling them to eliminate system vulnerabilities more efficiently. 
 

Join the discussion