How to Detect Every Active Directory User’s Last Logon Date

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
  1. Open Powershell ISE.
  2. Create new script with the following code, defining the “$Path” value, and then run the script.

$Path = 'C:\Temp\LastLogon.csv'
Get-ADUser -Filter {enabled -eq $true} -Properties LastLogonTimeStamp | 
Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | Export-Csv -Path $Path –notypeinformation

  1. Open the file produced by the script in MS Excel.

    Example Report:
Excel Report - How to Detect Every Active Directory User’s Last Logon Date
  1. Run Netwrix Auditor → Navigate to “Reports” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “User Accounts - Last Logon Time” → Click “View”.

    If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.
Netwrix Report - How to Detect Every Active Directory User’s Last Logon Date

Secure Your Infrastructure by Identifying Every User’s Last Login in Active Directory

Regularly reviewing information about every user’s last logon date in Active Directory can help you detect and remove vulnerabilities across your organization’s IT infrastructure. Each time a user logs on, the value of the Last-Logon-Timestamp attribute is fixed by the domain controller. With the last login date at hand, IT admins can readily identify inactive accounts and then disable them, thereby minimizing the risk of unauthorized attempts to log into the organization’s IT systems. Regularly auditing users’ last login dates in Active Directory is an efficient way to detect inactive accounts and prevent them from turning into bait for attackers.  

Netwrix Auditor for Active Directory enables IT pros to get detailed information about all activity in Active Directory, including the last logon time for every Active Directory user account. The solution includes comprehensive pre-built reports that streamline logon monitoring and help IT pros track the last time that users logged into the system. In particular, The User Accounts - Last Logon Time report lists all user accounts — both enabled and disabled — with the path and last logon time for each account. This report helps IT pros spot inactive accounts that are potential security holes because they could be used as backdoor accounts by attackers. The report subscription function enables IT admins have the report delivered by email automatically on the schedule they specify, facilitating regular review in accordance with best practices and enabling them to eliminate system vulnerabilities more efficiently. 

Related How-tos