How to Find a User’s Last Logon Time

In this post, I’m going to show you two simple methods for finding a user’s last logon time.

It is common for HR and supervisors to request when an employee last logged in to the network. System administrators may also use this for security forensic reasons.

Every time you log into a computer that is connected to Active Directory it stores that user’s logon time into a user attribute called Last-Logon.

There are multiple ways to retrieve the value of this attribute.

Below I have provided two simple methods for retrieving this value and both include step by step instructions.

Recommended Tool: SolarWinds Admin Bundle for Active Directory

3 Free tools, find inactive user or computer accounts  and quickly bulk import new user accounts.

Download your free copy of Admin Bundle for Active Directory

Method 1: Find last logon time using the Attribute Editor

Step1: Open Active Directory Users and Computers and make sure Advanced features is turned on.

Step 2: Browse and open the user account

Step 3: Click on Attribute Editor

Step 4: Scroll down to view the last Logon time

Very Easy.

Related: Find all Disabled AD User Accounts

Method 2: Using PowerShell to find last logon time

Step 1: Log into a Domain Controller

If you don’t run this from a DC, you may need to import the Active Directory PowerShell modules.

Step 2: Open PowerShell

Step 3: Run the following command

Get-ADUser -Identity “username” -Properties “LastLogonDate”

Replace “username” with the user you want to report on.

Video demonstrating both methods.

Done…

I have just shown you two very simple and quick methods for finding when a user last logged on to the domain.

I’d like to hear what you have to say:

Was this post helpful or do you have questions?

Let me know by leaving a comment below right now.

See Also:

How to Find and Remove Obsolete Computer Accounts 
Find all Locked AD User Account

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

9 Comments

  1. Abdallah on January 17, 2018 at 4:03 pm

    Hi,

    This is perfect article but i would like to pull last logon for all users how to go about

    Thanks

    • mug on January 18, 2018 at 1:24 am

      Hi Abdallah,

      Good question.

      The free version of AD Tidy will easily pull the last logon for all users.
      http://www.cjwdev.com/Software/ADTidy/Info.html

      You can also use a powershell script.

    • Klaawz on January 26, 2018 at 11:24 am

      Hi Abdallah,
      You can easily do this with AD FastReporter Free – https://albusbit.com/ADFastReporter.php

      • mug on January 26, 2018 at 1:43 pm

        Klaawz,

        Thanks for the suggestion.

        I saw your blog post on how to create a last logon report with AD FastReporter. Is there a way to save the report for quick access or do you have to manually create it each time?

        • Klaawz on January 30, 2018 at 5:40 am

          In the Free version, you can export a report to a CSV, XLSX, or HTML file.
          In the Pro version, all reports are stored in a local database and are available at any time for viewing or exporting.

          • Robert Allen on January 30, 2018 at 1:38 pm

            Thanks Klaawz



    • Bra-Psy on May 16, 2018 at 7:16 am

      Get-ADUser -Filter * -Properties * | Select-Object Name, msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon | Sort-Object -Descending msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon

      Taken from – https://4sysops.com/archives/use-powershell-to-get-last-logon-information/

  2. TrixM on September 11, 2018 at 3:37 am

    This advice seems very old fashioned and amateur (not “pro”), and I have no idea how this page is so high in Google rank.

    “LastLogon” queried in this way is only accurate for a domain where there is one domain controller. The LastLogon time attribute is not replicated between domain controllers, and it only applies to the DC where you’re reading the value from. If you query the user information on another DC, it can be completely different (and generally *is* different).

    You can use LastLogonTimestamp (which is replicated to all DCs) to find a last logon time that’s accurate to within 14 days (I don’t know why it’s this interval). That is, for a date that’s more than 14 days ago, that was the last time the user logged on at any DC in the domain. This is useful if you want to know accounts that last logged on a long time ago, such as more than 3 months ago or whatever.

    If you need to know the last time an account logged on within 14 days, you need to query the LastLogon attribute for the user on *every DC* in the domain and get the most recent time from those results. There are plenty of scripts available on the internet that will help you do this.

    • Robert Allen on September 11, 2018 at 12:00 pm

      TrixM,

      Thanks for the detailed explanation. You are correct, I failed to mention in my article that the LastLogon attribute does not get replicated between DC. I’ll update the post. The LastLogonTimestamp can be updated even if a user has not logged on. That is why it’s better to use the LastLogon attribute to accurately report a user’s last logon time.

Leave a Comment