- Free Edition
- Quick links
- Active Directory management
- Active Directory reporting
- Active Directory delegation
- Active Directory permissions management and reporting
- Active Directory automation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- Microsoft 365 management and reporting
- Microsoft 365 management
- Microsoft 365 reports
- Microsoft 365 user management
- Microsoft 365 user provisioning
- Microsoft 365 license managementn
- Microsoft 365 license reports
- Microsoft 365 group reports
- Dynamic distribution group creation
- Dynamic distribution group reports
- Exchange management and reporting
- Active Directory integrations
- Popular products
Finding AD user's last logon using native AD tools
Tracking user logon activity is essential for security audits, inactive account cleanup, and maintaining a secure and efficient AD environment. However, relying on native tools for something as critical as an AD user's last logon date can be misleading and put your organization at risk.
When you try to determine a user's last logon using native AD tools, you'll likely encounter a few different attributes, primarily lastLogon and lastLogonTimestamp and neither of these attributes, on their own, provide the true last logon value of a user. This is because each domain controller (DC) can maintain different last logon values for the same person, making it challenging to identify the actual last logon date.
ADManager Plus, an AD reporting tool, provides comprehensive AD last logon reports that aggregates data from all DCs to give you the true last logon information in a few clicks.
lastLogon vs. lastLogonTimestamp vs. lastLogonDate
Here's what the lastLogon, lastLogonTimestamp, and lastLogonDate attributes signify:
- lastLogon: This attribute is updated every time a user logs in to AD. However, it's not replicated across all DCs and to find the true last logon time, you need to manually query every DC in your domain and compare the timestamps, which is a time-consuming and inefficient process.
- lastLogonTimestamp: Unlike the lastLogon attribute, this attribute is replicated across all DCs, but it only gets updated if the current value is more than 9 to 14 days old. This delay is designed to reduce replication traffic, but it means that the timestamp you see could be up to 14 days out of date, making it unreliable for real-time monitoring.
- lastLogonDate: This is a readable version of the lastLogonTimeStamp attribute and does not represent a single value.
The following table breaks down the key differences between these AD last logon attributes:
| Attribute | Replication | Accuracy | Use case | Update frequency |
|---|---|---|---|---|
| lastLogon | Not replicated | Highest accuracy | Investigating a specific user's activity on a specific DC | Updated for every authentication |
| lastLogonTimestamp | Replicated | Low accuracy | Identifying stale or inactive accounts over a long period | Nine to 14 day delay |
| lastLogonDate | Replicated | Low accuracy | Scripting and reporting purposes | Based on LastLogonTimestamp |
How to find AD user's true last logon date
The Real Last Logon report in ADManager Plus fetches and displays the true last logon date and time of AD users. This report aggregates the lastLogonTimestamp attribute of users from all DCs in the network and accurately identifies the most recent last logon for each AD user. With this report, administrators can also generate the last logon date for individual users in specific domains, groups, or organizational units. To obtain the last logon date using ADManager Plus:
- Pick the report
Select the Real Last Logon report in ADManager Plus.
- Generate and apply filters
Generate report and apply filters to view specific attributes of users.
- Export last logon information
Export them in formats such as CSV, PDF, HTML, XLSX, and CSVDE.
Highlights of using ADManager Plus to obtain the last logon details of AD users
- Accurate last logon time and date
Get the true last logon time for every user without using complex scripts.
- On the fly user management
Disable, delete, enable, or manage AD users based on their last logon date from the report itself.
- Automated report generation
Gain continuous visibility into the last logon date of AD users by scheduling and generating the report at regular intervals.
- Exportable reports
Export reports in various formats—such as CSV, PDF, and more—and meet audit requirements seamlessly.
- Customized reporting
Customize the reports' results to contain only the required user attributes with just drag and drop actions.
Frequently asked questions
The lastLogon attribute is updated at every logon but not replicated across DCs, while the lastLogonTimestamp is replicated, but with a delay of up to 14 days. This makes lastLogon more accurate for a single DC but lastLogonTimestamp more convenient for a domain-wide view.
ADManager Plus has a report on inactive users that allows you to identify and disable stale accounts instantly to improving your security posture.
Yes, ADManager Plus allows scheduling of last logon reports with automatic email delivery. You can set daily, weekly, monthly, or custom schedules to track user activity continuously.
Other features
Bulk User Management
Fire a shotgun-shell of AD User Management Tasks in a Single Shot. Also use csv files to manage users. Effect bulk changes in the Active Directory, including configuring Exchange attributes.
Active Directory Computer Reports
Granular reporting on your AD Computer objects to the minutest detail. Monitor...and modify computer attributes right within the report. Reports on Inactive Computers and operating systems.
Active Directory Delegation
Unload some of your workload without losing your hold. Secure & non-invasive helpdesk delegation and management from ADManager Plus! Delegate powers for technician on specific tasks in specific OUs.
Microsoft Exchange Management
Create and manage Exchange mailboxes and configure mailbox rights using ADManager Plus's Exchange Management system. Now with support for Microsoft Exchange 2010!!
Active Directory Cleanup
Get rid of the inactive, obsolete and unwanted objects in your Active Directory to make it more secure and efficient...assisted by ADManager Plus's AD Cleanup capabilities.
Active Directory Automation
A complete automation of AD critical tasks such as user provisioning, inactive-user clean up etc. Also lets you sequence and execute follow-up tasks and blends with workflow to offer a brilliant controlled-automation.
Need Features? Tell Us
If you want to see additional features implemented in ADManager Plus, we would love to hear. Click here to continue
