Share via

How to Detect Every Active Directory User’s Last Logon Date

  • Article

Why It is Important

Regularly reviewing information about every user’s last logon date in Active Directory can help you detect and remove vulnerabilities across your organization’s IT infrastructure. Each time a user logs on, the value of the Last-Logon-Timestamp attribute is fixed by the domain controller. With the last login date at hand, IT admins can readily identify inactive accounts and then disable them, thereby minimizing the risk of unauthorized attempts to log into the organization’s IT systems. Regularly auditing users’ last login dates in Active Directory is an efficient way to detect inactive accounts and prevent them from turning into bait for attackers.  

Native Auditing

  1. Open PowerShell ISE.

  2. Create a new script with the following code, defining the “$Path” value, and then run the script.

$Path = 'C:\Temp\LastLogon.csv'
Get-ADUser -Filter {enabled -eq $true} -Properties LastLogonTimeStamp | 
   
Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | Export-Csv -Path $Path –notypeinformation

  1. Open the file produced by the script in MS Excel. 

  2. Example:
    https://img.netwrix.com/howtos/last_logons_excell.png

Credits

Originally posted - https://www.netwrix.com/how_to_determine_last_logon_date.html