Read more on "Server OS Spotlight" »

Staying Secure by Auditing Last Logon Date and Time for AD Users

By Nirmal Sharma (Send Email)
Posted July 31, 2017


As a system admin, you may find yourself needing to track the last logon date and time of Active Directory users, perhaps to ensure stale user accounts are identified and do not remain enabled in the active directory. The last logon time for all users is critical to avoid any potential security risks, and it can also be helpful for compliance purposes.

For example, if the last logon for a user account happened a long time ago and if the user account has not disabled or removed, anyone might be able to retreive and use that user's credentials to log on to any machine to gain access to the Active Directory environment. As a result, from time to time it will be necessary to identify stale accounts and disable or remove them. Windows Server Tutorials

Active Directory stores the last logon date and time for a user in the LastLogonTimeStamp property. If you needed to see the last logon date and time for a single user using GUI, you can use the Active Directory Users and Computers tool. From the ADUC tool, right click on a user, click on Property action, switch to Attribute Editor tab and then search for the "LastLogonTimeStamp" property as it is shown in the screenshot below:

Active Directory Logon Audit - Figure 1

While the ADUC tool can be handy if you are investigating the last logon time for a single or a few more users, in a lot of cases you'll need to collect the last logon information for every AD user to help you understand logon activity for all the Active Directory users. Since Active Directory stores this information in the LastLogonTimeStamp attribute, it can be queried using simple PowerShell commands as explained below.

To get last logon date and time for a single AD user, execute below PowerShell commands:

$UserName = "David.Das"
Get-ADUser $UserName -Properties LastLogonTimeStamp

When you run the above PowerShell commands, you will see the last logon time stamp for user "David.Das." If you wish to collect the last logon date and time for all Active Directory users and store the output in a CSV file for reporting purposes, you can execute the following PowerShell script:

$ReportFile = "C:\Temp\LastLogonTimeStampUsers.CSV"
Remove-Item $ReportFile -ErrorAction SilentlyContinue
Get-ADUser -Filter * -SerachBase "OU=<UsersOUHere>,DC=ServerWatch,DC=Com" -ResultPageSize 0 -Prpperties CN, LastLogonTimeStamp | Select CN, @{R="LastLogonDate"; F={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}} | Export-CSV $ReportFile -NoTypeInformation

Note that the third PowerShell command in the above script converts the date and time returned for every AD user using the "DateTime" function and then exports the output to a CSV file referenced by the $ReportFile variable. It is important to understand that you might have several organizational units created in Active Directory that hold users for different departments.

For example, you might have created an organizational unit by the name "SalesUsers," which only stores users for sales team and another OU with the name "FinanceUsers," which stores users for the finance team. The above PowerShell script can only be used to query the last logon activity for users in a single OU specified in the "-SearchBase" parameter.

If you wish to collect the last logon activity for users in each department OU and have the output stored in a separate CSV file for each department OU, you can create a text file that includes the list of OU names and then make use of a PowerShell "ForEach" loop.

Another option is Netwrix Auditor for Active Directory, which solves user auditing problems by letting you create plans for each department organizational unit. For example, you can create a plan that collects the last logon date and time for users in Sales OU and another plan to collect the same information for users residing in Finance OU.

Once these plans have been created, NW Auditor can execute the plans and have the reports sent to you via email. You can also check the last logon date and time information for users by opening the Netwrix Auditor console as it is shown in the screenshot below:

Active Directory Logon Audit - Figure 2

Note that you may not want users to remain enabled if the users have not logged onto the Active Directory for a long time. That's why in addition to displaying the last logon date and time of AD users, Netwrix Auditor also displays the status of each user as shown in the screenshot above.

Conclusion

In this Server Tutorial, we provided simple PowerShell commands and a script to collect the last logon time and date for Active Directory users. While you can use PowerShell to collect the required information, it is recommended to use an enterprise tool like Netwrix Auditor for Active Directory, which can help you create suditing plans based on your requirements and collect the data automatically.


Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at nirmal_sharma@mvps.org.

Follow ServerWatch on Twitter and on Facebook

Page 1 of 1

Read more on "Server OS Spotlight" »

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.


 

 


Thanks for your registration, follow us on our social networks to keep up-to-date