How to Check Active Directory User Login History

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps

Enabling Logon Auditing

  1. On your domain controller, run Group Policy Management Console (Press Win+R -> Type “GPMC.exe” -> Click “Run”).
  2. Create a new policy and link this new GPO to an organizational unit (OU) that contains the computers where you’d like to track user activity.
  3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Then go to each of the following:
  • System > Audit Security State Change — Set this to “Success”.
  • Audit Policies > Logon/Logoff — Set both “Audit Logon” and “Audit Logoff” to “Success” and “Failure”.
  • Audit Policies > Logon/Logoff > Audit — Set “Other Logon/Logoff Events” to “Success” and “Failure.”

 

Reviewing Logon Events

  1. Open the PowerShell ISE as Administrator
  2. Run the following script, adjusting the timeframe:

# Find DC list from Active Directory 
$DCs = Get-ADDomainController -Filter * 

# Define time for report (default is 1 day) 
$startDate = (get-date).AddDays(-1) 

# Store successful logon events from security logs with the specified dates and workstation/IP in an array 
foreach ($DC in $DCs){ 
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {($_.eventID -eq 4624) -or ($_.eventID -eq 4625) }}  

# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely 

 foreach ($e in $slogonevents){ 
   # Logon Successful Events 
   # Local (Logon Type 2) 
   if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){ 
     write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] 
   } 
   # Remote (Logon Type 10) 
   if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){ 
     write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18] 
   } 
    # Logon Failed Events 
   # Local (Logon Type 2) 
   if (($e.EventID -eq 4625 ) -and ($e.ReplacementStrings[8] -eq 2)){ 
     write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Failed`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] 
   } 
   # Remote (Logon Type 10) 
   if (($e.EventID -eq 4625 ) -and ($e.ReplacementStrings[8] -eq 10)){ 
     write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Failed`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18] 
}}  
 

  1. Review the results:
How to Check Active Directory User Login History - Native Auditing
  1. Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Logon Activity” → Depending on which logon events you want to review, select “Successful Logons”, "Failed Logons" or “All Logon Activity” → Click “View”.
  2. Review the report:
How to Check Active Directory User Login History - Netwrix Auditor

Get Active Directory User Login History with or without PowerShell Scripts

When you’re investigating account lockouts or suspicious access, or performing regular access management audits, one of the first things to do is review user activity: Logon events can often tell you right away what the problem is and whether the user is accessing appropriate resources. For this data to be available, you must have enabled appropriate audit policies on the computers where you want to track user activity.

Active Directory auditing stores user logon history details in event logs on domain controllers. Therefore, the most straightforward option to get user logons is to filter out all Security events in the Windows Event Viewer and find the target user account and logon type. In Windows Server 2008 through Windows Server 2016, the event ID for a user logon event is 4624. These events contain data about the Active Directory user, time, computer and type of user logon. If you need to know the logon session time, you can tie an event to logoff event IDs 4634 and 4647 using the logon ID (a unique number between reboots that identifies the logon session).

Another way to get this information with native tools is using PowerShell. With the PowerShell script provided above, you can get a user login history report without having to manually crawl through the Windows logs. However, running a PowerShell script every time you need to get a user login history report can be a real pain, as processing time can be substantial even in small AD environments.

Netwrix Auditor for Active Directory is an easier way to keep an eye on user activity and strengthen the security of your Active Directory and AD-reliant systems. With this solution, you can get a clear and detailed report on user login history in just a few clicks. You can even subscribe to this report and it will be delivered automatically by email on the schedule you specify. This security platform is not limited to user login auditing; it includes a wide range of pre-configured reports, flexible alerts and Google-like interactive search that empower you to quickly investigate incidents and proactively enhance security across your on-premises, cloud or hybrid IT environment. 

Related How-tos