How to generate and export user login history report

To conduct user audit trails, administrators would often want to know the history of user logins. This will greatly help them ascertaining user behaviors with respect to logins. Though this information can be got using Windows PowerShell, writing down, compiling, executing, and changing the scripts to meet specific granular requirements is a tedious process.

Active Directory (AD) auditing solution such as ManageEngine ADAudit Plus will help administrators ease this process by providing ready-to-access reports on this and various other critical security events. Below is the comparison between obtaining an AD user's login history report with Windows PowerShell and ADAudit Plus:

PowerShell

Steps to obtain user login history using PowerShell:

• Identify the domain from which you want to retrieve the report.
• Identify the LDAP attributes you need to fetch the report.
• Identify the primary DC to retrieve the report.
• Compile the script.
• Execute it in Windows PowerShell.
• The report will be exported in the given format.
• To obtain the report in a different format, modify the script .

Sample Windows PowerShell script

# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *

# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)

# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely

  foreach ($e in $slogonevents){
    # Logon Successful Events
    # Local (Logon Type 2)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
    }
    # Remote (Logon Type 10)
    if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
      write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
    }}

 Copied

Click to copy entire script

ADAudit Plus

To obtain the report,

• Login to ADAudit Plus web console as an administrator.
• Navigate to Reports tab, click User Logon Reports section on the left pane and select User Logon Activity report.
• Select the domain and specific objects you want to query for, if any.
• Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Screenshot

 

Following are the limitations to obtain the report of every user's login history using native tools like Windows PowerShell:

This means you have to collect information from DCs as well as workstations and other Windows servers to get a complete overview of all logon and logoff activities within your environment. This is a laborious and mundane process for the system administrators.

ADAudit Plus generates the user login history report by automatically scanning all DCs in the domain to retrieve the users' login histories and display them on a simple and intuitively designed UI.