How to Get Last Logon Time for a User Account

It’s actually really easy to figure out the last time a user account logged onto (authenticated with) a machine on your network.

Each time an account successfully authenticates to a domain controller while on the network the event is logged in Active Directory in an attribute named lastLogon.

This attribute can be read in one of several ways. Let’s take a look at the easiest ones.

Finding last logon time with Active Directory Administration Center

By far the easiest method for those that just need to look up one user’s last logon and prefer gui interfaces is using the Attribute Editor within ADAC.

Simply open ADAC (Active Direcotry Administration Center) and navigate to your desired user account.

Navigate to the extensions section and click on the attribute editor.

You’ll find the last logon time to the right of the lastLogon attribute.

You can also access this information using legacy Active Directory Users and Computers (provided you have enabled Advanced Features) but I prefer to use ADAC (as does Microsoft).

It’s important to note that this attribute

Determining Last Logon with Powershell

My favorite method for finding the last logon time (and really anything in an active directory domain) is to use PowerShell. It’s just so darn handy and quick!

The easiest way to start is by connecting to one of your domain controllers and launching PowerShell as an admin.

You can also import the Active Directory PowerShell Module (already done if you have installed Remote Server Admin Tools (RSAT)).

Once in PowerShell run the command:

Get-ADUser -Identity "cjones" -Properties "LastLogonDate"

In this example cjones is the username of the account we are needing the last logon for. The ouput of the above command looks like this:

DistinguishedName : CN=Chris Jones,OU=Users,DC=npgdom,DC=com
Enabled : True
GivenName : Christopher
LastLogonDate : 9/5/2018 9:06:36 AM
Name : Chris Jones
ObjectClass : user
ObjectGUID :
SamAccountName : CJONES
SID : S-1-5-21-8685940569-6978574657-9285763528-5587
Surname : Jones
UserPrincipalName : CJONES@NPGDOM.COM

As you can see, the output contains the field LastLogonDate complete with the last time that the cjones account authenticated with the domain on a computer.

If you want to collect the last logon information for all of the users in an OU and output it to a CSV file you can customize and use the following script within your PowerShell session:

Get-ADUser -Filter * -SearchBase "ou=users,dc=npgdom,dc=com" -ResultPageSize 0 -Property CN, Description, LastLogonTimestamp | Select-Object -Property CN, Description, @{ n = "LastLogonDate"; e = { [datetime]::FromFileTime( $_.lastLogonTimestamp ) } } | Sort-Object -Property CN, Description, LastLogonDate | Export-CSV -NoTypeInformation "C:\output.csv"

Locate your CSV file and open it to find each user listed by CN followed by their description and last logon date and time stamps.

It’s important to note that the lastlogon attribute can differ between domain controllers depending on which one processed the most recent authentication. Because of that, it’s recommended to connect to and check all of your domain controllers to get the absolute latest logon time.

That brings us to the more advanced, but more accurate method of PowerShell scripting to query all domain controllers.

Determining Last Login with a PowerShell Script

As mentioned above, the lastlogon attribute can differ depending on which Active Directory Domain Controller it is read from. So the most accurate method will be to query all domain controllers and report the latest value.

To do this, you can use the following scrip in a powershell script:

Import-Module ActiveDirectory

function Get-ADUserLastLogon([string]$userName)
  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $time = 0
  foreach($dc in $dcs)
    $hostname = $dc.HostName
    $user = Get-ADUser $userName | Get-ADObject -Server $hostname -Properties lastLogon 
    if($user.LastLogon -gt $time) 
      $time = $user.LastLogon
  $dt = [DateTime]::FromFileTime($time)
  Write-Host $username "last logged on at:" $dt }

Get-ADUserLastLogon -UserName testuser

That’s it! Hopefully this will help you save some valuable time!

Recommended for You: Solarwinds Hybrid Systems Monitoring Bundle

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems or were recently changed by someone? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your local or cloud applications and servers with Solarwinds Hybrid Systems Bundle so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual and Applications environments, both locally and cloud hosted, without needing to mess with complex templates or knowing a single line of code.

Chase Smith, CCNP

Chase Smith, CCNP is a Network Engineer III who has spent the last decade elbow deep in enterprise system administration and networking. He can usually be found trying to warm up behind the storage in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *