How to Get User Login History

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
  1. Open the PowerShell ISE → Run the following script, adjusting the timeframe:

# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *

# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)

# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely

  foreach ($e in $slogonevents){
    # Logon Successful Events
    # Local (Logon Type 2)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
    # Remote (Logon Type 10)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
      write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]

  1. Review the results:
PowerShell successful logons report
  1. Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Logon Activity” → Select “Successful Logons” → Click “View”.
  2. To get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.
Netwrix Auditor Successful Logons report: shows successful interactive and non-interactive logons

Get Active Directory User Login History with or without PowerShell Script

Microsoft Active Directory stores user logon history data in event logs on domain controllers. Starting from Windows Server 2008 and up to Windows Server 2016, the event ID for a user logon event is 4624. These events contain data about the user, time, computer and type of user logon. Using the PowerShell script provided above, you can get a user login history report without having to manually crawl through the event logs.

But running a PowerShell script every time you need to get a user login history report can be a real pain. There’s an easier way to keep an eye on user logon and logoff events and strengthen the security of your Active Directory — Netwrix Auditor. In just a few clicks, you can have the report you need delivered automatically to your email on the schedule you specify.