Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to get users' logon history in Active Directory

Viewing and analyzing user logon history is essential as it helps predict logon patterns and conduct audit trails. You can get the user logon history using Windows PowerShell. Alternatively, you can use a comprehensive AD auditing solution like ADAudit Plus that will make things simple for you.

This article compares the method of getting user logon history information using Windows PowerShell and ADAudit Plus.

PowerShell

Steps to get users' logon history:

  • Identify the domain from which you want to retrieve the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in Windows PowerShell
  • In case you want to export the report in a particular file format, you will need to customize the cmdlet as required.

Sample Windows PowerShell script

# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
 
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
 
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
 
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely
 
 foreach ($e in $slogonevents){
 # Logon Successful Events
 # Local (Logon Type 2)
 if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
 write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
 }
 # Remote (Logon Type 10)
 if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
 write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
 }}
 Copied
Click to copy entire script

ADAudit Plus

To obtain the report,

  • Login to ADAudit Plus web console.
  • Navigate to Reports tab -> Local Logon-Logoff section -> Logon Activity report.
  • In the 'Domain' field found on the top right corner, select either the required domain or select 'All Domains'.
  • Use the 'Search' option to filter for specific user names, or domain controller, if required.
  • Obtain the entire logon history of users for a period of your choice.
    active-directory-user-logon-logoff-report-powershell-1
  • Export the report in a format of your choice: CSV, PDF, XLS, or HTML.

The following are the limitations of using PowerShell to get the user logon history:

  • We can run the above script only from the computers which have Active Directory Domain Services role.
  • To change date formats and to apply different time zones on the date results, the script has to be modified or created each time.
  • It's difficult to export the report in other formats.
  • Applying more filters, like 'During business hours', 'Period', and 'Export as' will increase the LDAP query complexity.

On the other hand, ADAudit Plus will quickly scan all the DCs in the domain and gets you the the entire history of users' logons in the form of an intuitive report.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By