How to Find a User’s Last Logon Time

In this post, I’m going to show you three simple methods for finding active directory users last logon date and time.

Every time you log into a computer that is connected to Active Directory it stores that users last logon date and time into a user attribute called lastlogon.

TIP: The lastlogon attribute is the most accurate way to check active directory users’ last logon time. There is also the LastLogonTimeStamp attribute but will be 9-14 days behind the current date. The intended purpose of the LastLogonTimeStamp is to help identify stale user accounts. It can also be used to find inactive computers in Active Directory. The lastlogon attribute is not replicated to other DCs so you will need to check this attribute on each DC to find the most recent time. The AD Pro Toolkit will get the last logon details from all DCs.

Let’s check out some examples!

Method#1 Find Last Logon Time Using the Attribute Editor

Step 1: Open Active Directory Users and Computers and make sure Advanced Features is turned on.

Step 2: Browse and open the user account

Step 3: Click on Attribute Editor

Step 4: Scroll down to view the last Logon time

If you have multiple domain controllers you will need to check this value on each one to find the most recent time.

Method#2 AD Pro Toolkit

Step 1: Download the Tool

You can try this tool for free, download your copy here.

Step 2: Open Tool -> Select Last Logon Report

Select from Entire Domain, or an OU or group.

Click “Run” to generate a report.

Step 3: To Export click the export button

Find User Last Logon using PowerShell

Below are the steps to get the LastLogonDate using PowerShell.

Tip: Keep in mind to get the TRUE last logon date with PowerShell you would need to run the script on all domain controllers as the value is not replicated. The AD Pro Toolkit automatically gets the real last logon date and time from all domain controllers.

Step 1: Log into a Domain Controller

If you don’t run this from a DC, you may need to import the Active Directory PowerShell modules.

Step 2: Use Get-ADUser PowerShell cmdlet

Open Powershell and use the command below to get all domain users LastLogonDate.

Get-ADUser -filter * -Properties "LastLogonDate" | select name, LastLogonDate

You should get similar results to the screenshot below.

Video demonstrating both methods.

YouTube video

Get the Last Logon Date for List of Users

In this example, I’ll use the AD Pro Toolkit to get the last logon date for a list of users such as those in an organizational unit.

Step 1: Open the toolkit

You can try this tool for free, download your copy here.

Select “Last Logon Report” from the list of tools.

Step 2: Select Entire Domain or an OU

Next, select the entire domain or an OU or group. In this example, I’ll get the last logon date for all users in the HR OU.

Click the “Run” button to generate the report.

You can see in the screenshot above the tool returns the users name, account name, domain controller name, and the last logon date. You can click on any column to sort the results in ascending or descending order.

The AD last logon Reporter eliminates all the manual work of checking the lastlogon attribute for all users across all domain controllers. It would be very time consuming and difficult to return the real last logon time without this tool.

In addition to the last logon report, the toolkit includes Active Directory Reporting software with over 200 built-in reports.

For example, to see all users that have not logged on in the last 30 days select the report and click run.

Summary

In this guide, I walked through three methods on how to get the Active Directory Last Logon for domain user accounts.

It is important to review the last logon date for user accounts on a monthly basis to find stale user accounts. This can also be used to check the last time a user authenticated to the network. The PowerShell get-aduser cmdlet works great to get user’s last logon details from a single domain controller. To automatically collect the last logon details from all Domain Controllers then I recommend the AD Pro Toolkit.

If you have questions or comments please leave a comment below.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

37 thoughts on “How to Find a User’s Last Logon Time”

  1. Hi,

    This is perfect article but i would like to pull last logon for all users how to go about

    Thanks

    Reply
      • Avatar photo

        Klaawz,

        Thanks for the suggestion.

        I saw your blog post on how to create a last logon report with AD FastReporter. Is there a way to save the report for quick access or do you have to manually create it each time?

        Reply
        • In the Free version, you can export a report to a CSV, XLSX, or HTML file.
          In the Pro version, all reports are stored in a local database and are available at any time for viewing or exporting.

          Reply
          • Avatar photo

            Thanks Klaawz

      • Wrong PS for what they are asking.

        Reply
    • Man… I sure do get tired of people who want you to write the code for them. >.< Learn powershell guys.

      Reply
  2. To get this info for all users:

    Get-ADUser -Filter * -Properties Name,LastLogon,Displayname, EmailAddress, Title | select Name,
    @{Name=’LastLogon’;Expression={[DateTime]::FromFileTime($_.LastLogon)}},DisplayName, EmailAddress, Title | Export-CSV “C
    :\temp\Email_Addresses.csv”

    Reply
    • Last log on report comes like this “133135731765050000” Not sure how we can convert this to display properly, tried few methods in excel under number formatting but no luck, any help would be much appreciated.

      Reply
  3. This advice seems very old fashioned and amateur (not “pro”), and I have no idea how this page is so high in Google rank.

    “LastLogon” queried in this way is only accurate for a domain where there is one domain controller. The LastLogon time attribute is not replicated between domain controllers, and it only applies to the DC where you’re reading the value from. If you query the user information on another DC, it can be completely different (and generally *is* different).

    You can use LastLogonTimestamp (which is replicated to all DCs) to find a last logon time that’s accurate to within 14 days (I don’t know why it’s this interval). That is, for a date that’s more than 14 days ago, that was the last time the user logged on at any DC in the domain. This is useful if you want to know accounts that last logged on a long time ago, such as more than 3 months ago or whatever.

    If you need to know the last time an account logged on within 14 days, you need to query the LastLogon attribute for the user on *every DC* in the domain and get the most recent time from those results. There are plenty of scripts available on the internet that will help you do this.

    Reply
    • Avatar photo

      TrixM,

      Thanks for the detailed explanation. You are correct, I failed to mention in my article that the LastLogon attribute does not get replicated between DC. I’ll update the post. The LastLogonTimestamp can be updated even if a user has not logged on. That is why it’s better to use the LastLogon attribute to accurately report a user’s last logon time.

      Reply
    • So glad I read the comments to find this little gem tidbit. LastLogonTimestamp saved the day for me.

      Reply
  4. Hi Robert, the LastLogon attribute logs successful and unsuccessful logins?

    2. What is special about the Active Directory built-in account in relation to schema admin, enterprise admin and domain admin?

    Reply
  5. Hi,
    this step is very help me thank you….

    Step 3: Run the following command

    Get-ADUser -Identity “username” -Properties “LastLogonDate”

    Replace “username” with the user you want to report on.

    Reply
  6. Hi,

    This is a simple powershell script which I created to fetch the last login details of all users from AD.

    STEPS:
    ———
    1) Login to AD with admin credentials
    2) Open the Powershell in AD with Administrator elevation mode
    3) Run this below mentioned powershell commands to get the last login details of all the users from AD

    Get-ADUser -Filter * -Properties * | Select-Object -Property Name,LastLogonDate | Export-csv c:/lastlogon.csv

    This will create a CSV file in your C Drive with the name lastlogon.csv which will contain the information of last login time of all the users

    If you want to store the CSV file in different location, just change the path accordingly

    Regards,
    Shahul

    Reply
    • Avatar photo

      Shahul, thanks for sharing.

      Reply
  7. Am I able to use the “-match” command for the “username” in -Identity to find a list of users with RegEx?

    Reply
  8. Just wanted to say Thank you, this is very useful information…

    Reply
  9. How do you get the computer name they last logged into as well?

    Reply
  10. I have to know LastLogon I have the exported excel file in LastLogon Field it is Showing
    132635534097464000

    how can i know the time

    Reply
    • Avatar photo

      This should do it.

      Get-ADUser -Identity “username” -Properties “LastLogon” | Select Name, @{N=’LastLogon’; E={[DateTime]::FromFileTime($_.LastLogon)}}

      Reply
  11. Is there a way to display the last logon date per user PER COMPUTER? for example, i login to multiple computers and want to know when the last time i logged in to a specific one.
    Thank you.

    Reply
  12. Hi, Robert.

    I need a simple help like the Eugene.
    Sometimes I need to identify by username the last computer used or still using.
    I tried a lot of scripts but I cannot find a simple one for that.

    Thanks for the help.

    Reply
    • Avatar photo

      This would require checking the logs on the local computer as this info is not stored in Active Directory.

      You can do this with PowerShell, here is an example, https://theposhwolf.com/howtos/Get-LoginEvents/

      I get this request a lot so I might include this in a future release of my GUI toolkit.

      Reply
        • Avatar photo

          This script is also running locally. It is running the command “Invoke-Command -ComputerName $u.Name -ScriptBlock {quser}” against each computer to see who is currently logged on. It will only report if someone is currently logged on.

          Copy the script into PowerShell ISE click the run button then you will be able to use the Get-UserLogon command.

          Reply
          • Hi, Robert.

            Sorry to bother you.

            Robert I tried but at ISE I got this;

            PS C:\Users\Administrator.GPRO> Invoke-Command -ComputerName $u.Name -ScriptBlock {quser}
            Invoke-Command : Cannot validate argument on parameter ‘ComputerName’. The argument is null or empty. Supply an argument that is not null or empty and then try the
            command again.
            At line:1 char:30
            + Invoke-Command -ComputerName $u.Name -ScriptBlock {quser}
            + ~~~~~~~
            + CategoryInfo : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
            + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand

            Thanks for the help.

          • Avatar photo

            Did you copy the entire script lines 1 to 155 into ISE?

            I tested it and didn’t get any errors.

  13. Hi, Robert.

    The script worked, thanks.
    Now I can search by computer and I will get the user.
    Is possible to search by user and get the computer name?
    Get-UserLogon -All – this command took more then 30 minutes
    I would like to insert the name of the user and see the last computer logged.
    will be possible?

    Reply
  14. Hi,

    Is there a way to find the last login date\time and what was the hostname used logged on to?

    Reply
  15. Hi everybody, I am not an IT but an auditor. I am ckecking the last log in of an user (a former employee of my organisation) to our AD. I have used Method#1 that is explained in thia topic and the check shows that the user has logged in to the AD on 06.Nov.2022 but in fact she has left the organisation in August. Can I assume that the user account is compromised or the date of the last log in may show that a process or a system has been used the account for something? I am not sure I am explaining the situation well, but I will be grateful if you help me understand the meaning of this date!

    Reply

Leave a Comment