Direct Inward Dialing: +1 408 916 9892
To conduct user audit trails, administrators would often want to know the history of user logins. This will greatly help them ascertaining user behaviors with respect to logins. Though this information can be got using Windows PowerShell, writing down, compiling, executing, and changing the scripts to meet specific granular requirements is a tedious process.
Active Directory (AD) auditing solution such as ManageEngine ADAudit Plus will help administrators ease this process by providing ready-to-access reports on this and various other critical security events. Below is the comparison between obtaining an AD user's login history report with Windows PowerShell and ADAudit Plus:
# Find DC list from Active Directory $DCs = Get-ADDomainController -Filter * # Define time for report (default is 1 day) $startDate = (get-date).AddDays(-1) # Store successful logon events from security logs with the specified dates and workstation/IP in an array foreach ($DC in $DCs){ $slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }} # Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely foreach ($e in $slogonevents){ # Logon Successful Events # Local (Logon Type 2) if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){ write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] } # Remote (Logon Type 10) if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){ write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18] }}
Screenshot
Following are the limitations to obtain the report of every user's login history using native tools like Windows PowerShell:
This means you have to collect information from DCs as well as workstations and other Windows servers to get a complete overview of all logon and logoff activities within your environment. This is a laborious and mundane process for the system administrators.
ADAudit Plus generates the user login history report by automatically scanning all DCs in the domain to retrieve the users' login histories and display them on a simple and intuitively designed UI.