Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to generate and export user login history report

To conduct user audit trails, administrators would often want to know the history of user logins. This will greatly help them ascertaining user behaviors with respect to logins. Though this information can be got using Windows PowerShell, writing down, compiling, executing, and changing the scripts to meet specific granular requirements is a tedious process.

Active Directory (AD) auditing solution such as ManageEngine ADAudit Plus will help administrators ease this process by providing ready-to-access reports on this and various other critical security events. Below is the comparison between obtaining an AD user's login history report with Windows PowerShell and ADAudit Plus:

PowerShell

Steps to obtain user login history using PowerShell:

  • Identify the domain from which you want to retrieve the report.
  • Identify the LDAP attributes you need to fetch the report.
  • Identify the primary DC to retrieve the report.
  • Compile the script.
  • Execute it in Windows PowerShell.
  • The report will be exported in the given format.
  • To obtain the report in a different format, modify the script .

Sample Windows PowerShell script

# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *

# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)

# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely

  foreach ($e in $slogonevents){
    # Logon Successful Events
    # Local (Logon Type 2)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
    }
    # Remote (Logon Type 10)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
      write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
    }}
 Copied
Click to copy entire script

ADAudit Plus

To obtain the report,

  • Login to ADAudit Plus web console as an administrator.
  • Navigate to Reports tab, click User Logon Reports section on the left pane and select User Logon Activity report.
  • Select the domain and specific objects you want to query for, if any.
  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Screenshot

powershell -get-user-login-history-1
 

Following are the limitations to obtain the report of every user's login history using native tools like Windows PowerShell:

  • All local logon and logoff-related events are only recorded in the security log of individual computers (workstations or Windows servers) and not on the domain controllers (DCs).
  • Logon events recorded on DCs do not hold sufficient information to distinguish between the various logon types, namely, Interactive, Remote Interactive, Network, Batch, Service, etc.
  • Logoff events are not recorded on DCs. This information is vital in determining the logon duration of a particular user.

This means you have to collect information from DCs as well as workstations and other Windows servers to get a complete overview of all logon and logoff activities within your environment. This is a laborious and mundane process for the system administrators.

ADAudit Plus generates the user login history report by automatically scanning all DCs in the domain to retrieve the users' login histories and display them on a simple and intuitively designed UI.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By