How to Find a User’s Last Logon Time

In this post, I’m going to show you three simple methods for finding active directory users last logon date and time.

Every time you log into a computer that is connected to Active Directory it stores that users last logon date and time into a user attribute called lastlogon.

Let’s check out some examples on how to retrieve this value.

TIP: The lastlogon attribute is the most accurate way to check active directory users last logon time. There is also the LastLogonTimeStamp attribute but will be 9-14 days behind the current date. The intended purpose of the LastLogonTimeStamp is to help identify stale user and computer accounts. The lastlogon attribute is not replicated to other DCs so you will need to check this attribute on each DC to find the most recent time. The tool in example 3 will do this for you.

Method 1: Find last logon time using the Attribute Editor

These first two examples work well for checking a single user. If you want to run a report for all users then check out example 3.

Step1: Open Active Directory Users and Computers and make sure Advanced features is turned on.

Step 2: Browse and open the user account

Step 3: Click on Attribute Editor

Step 4: Scroll down to view the last Logon time

If you have multiple domain controllers you will need to check this value on each one to find the most recent time.

Related: Find all Disabled AD User Accounts

Method 2: Using PowerShell to find last logon time

Step 1: Log into a Domain Controller

If you don’t run this from a DC, you may need to import the Active Directory PowerShell modules.

Step 2: Open PowerShell

Step 3: Run the following command

Get-ADUser -Identity “username” -Properties “LastLogonDate”

Replace “username” with the user you want to report on.

Video demonstrating both methods.

Method 3: Find All AD Users Last Logon Time

The built in Microsoft tools does not provide an easy way to report the last logon time for all users that’s why I created the AD Last Logon Reporter Tool.

This tool allows you to select a single DC or all DCs and return the real last logon time for all active directory users.

Step 1: Download and launch tool

You can download the tool here

It only takes 3 simple steps to run this tool. It’s very easy!

1. Run the AD Last Logon Reporter executable

2. Select all DCs or a single DC from the drop down

3. Click the generate report button in the action section

You can see in the screenshot below the tool returns the users name, account name, domain controller name, and the last logon date. You can click on any column to sort the results in ascending or descending order.

Step 2: Export results to CSV or HTML

To export the results just click on the CSV or HTML button in the actions section.

You will be prompted for a location to save the file, once saved the file will automatically open.

Here is a screenshot of the report exported to HTML.

The AD last logon Reporter eliminates all the manual work of checking the lastlogon attribute for all users across all domain controllers. It would be very time consuming and difficult to return the real last logon time without this tool.

I have just shown you three very simple and quick methods for finding when a user last logged on to the domain.

I’d like to hear what you have to say:

Was this post helpful or do you have questions?

Let me know by leaving a comment below right now.

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

11 Comments

  1. Abdallah on January 17, 2018 at 4:03 pm

    Hi,

    This is perfect article but i would like to pull last logon for all users how to go about

    Thanks

    • mug on January 18, 2018 at 1:24 am

      Hi Abdallah,

      Good question.

      The free version of AD Tidy will easily pull the last logon for all users.
      http://www.cjwdev.com/Software/ADTidy/Info.html

      You can also use a powershell script.

    • Klaawz on January 26, 2018 at 11:24 am

      Hi Abdallah,
      You can easily do this with AD FastReporter Free – https://albusbit.com/ADFastReporter.php

      • mug on January 26, 2018 at 1:43 pm

        Klaawz,

        Thanks for the suggestion.

        I saw your blog post on how to create a last logon report with AD FastReporter. Is there a way to save the report for quick access or do you have to manually create it each time?

        • Klaawz on January 30, 2018 at 5:40 am

          In the Free version, you can export a report to a CSV, XLSX, or HTML file.
          In the Pro version, all reports are stored in a local database and are available at any time for viewing or exporting.

          • Robert Allen on January 30, 2018 at 1:38 pm

            Thanks Klaawz



    • Bra-Psy on May 16, 2018 at 7:16 am

      Get-ADUser -Filter * -Properties * | Select-Object Name, msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon | Sort-Object -Descending msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon

      Taken from – https://4sysops.com/archives/use-powershell-to-get-last-logon-information/

  2. TrixM on September 11, 2018 at 3:37 am

    This advice seems very old fashioned and amateur (not “pro”), and I have no idea how this page is so high in Google rank.

    “LastLogon” queried in this way is only accurate for a domain where there is one domain controller. The LastLogon time attribute is not replicated between domain controllers, and it only applies to the DC where you’re reading the value from. If you query the user information on another DC, it can be completely different (and generally *is* different).

    You can use LastLogonTimestamp (which is replicated to all DCs) to find a last logon time that’s accurate to within 14 days (I don’t know why it’s this interval). That is, for a date that’s more than 14 days ago, that was the last time the user logged on at any DC in the domain. This is useful if you want to know accounts that last logged on a long time ago, such as more than 3 months ago or whatever.

    If you need to know the last time an account logged on within 14 days, you need to query the LastLogon attribute for the user on *every DC* in the domain and get the most recent time from those results. There are plenty of scripts available on the internet that will help you do this.

    • Robert Allen on September 11, 2018 at 12:00 pm

      TrixM,

      Thanks for the detailed explanation. You are correct, I failed to mention in my article that the LastLogon attribute does not get replicated between DC. I’ll update the post. The LastLogonTimestamp can be updated even if a user has not logged on. That is why it’s better to use the LastLogon attribute to accurately report a user’s last logon time.

  3. Kenny on December 15, 2018 at 5:27 am

    Hi Robert, the LastLogon attribute logs successful and unsuccessful logins?

    2. What is special about the Active Directory built-in account in relation to schema admin, enterprise admin and domain admin?

Leave a Comment