How to check the last login date for users in Acitive Directory
Overview
The LDAP database used by Active Directory records the date/time of a user's last logon. The purposes of last logon date/time may include the following.
-
Improving security
If there are no regular logons, the user account may no longer be needed. Disabling or deleting the account may enhance security. -
Audit Purpose
This is used to report the last logon date/time of a user account according to the organization's security policy.
This article describes the LDAP attribute where the last logon date/time are recorded and how to find the last logon date/time.
LDAP attributes for which the last logon date/time is recorded
The LDAP attributes for which the last logon date/time are recorded are listed below.
Only recorded on the domain controller that processed the authentication request.
| Attributes | Description |
|---|---|
| lastLogon | Last logon time is recorded in NT time epoch(*1). Not subject to Active Directory replication. Only recorded on the domain controller that processed the authentication request. |
| lastLogonTimestamp | Last logon time is recorded in NT time epoch(*1). Subject to Active Directory replication. Updated if lastLogonTimestamp is set to a date/time more than 9 - 14 days prior to the date/time the logon was completed. |
| lastLogonDate | The time of the NT time epoch recorded in lastLogonTimestamp and displayed in the standard format. |
| msDS-LastSuccessfulInteractiveLogonTime | Last logon time is recorded in NT time epoch(*1). Subject to Active Directory replication. Must be set by group policy. |
*1 It is displayed in standard view in Active Directory Management Center and other places, and in NT time epoch in command tools such as PowerShell.
Enable msDS-LastSuccessfulInteractiveLogonTime attribute
As mentioned earlier, to use the msDS-LastSuccessfulInteractiveLogonTime attribute, a group policy must be set and applied to the domain controller.
- Open [Group Policy Management Editor].
- In [Computer Configuration] -> [Policies] -> [System] -> [KDC] 、[Provide information about previous logons to client computers] is enabled.
Check with Administrative tools
If you want to check with administrative tools, use [Active Directory Administrative Center] or [Active Directory Users and Computers] tools.
You can view each attribute in the Attribute Editor tab of the user account.
* Image from Active Directory Administrative Center
There is a discrepancy between the date/time of the lastLogon attribute and the lastLogonTimestamp attribute, because the lastLogonTimestamp attribute was not updated.
The logon date/time are recorded in the msDS-LastSuccessfulInteractiveLogonTime attribute. If the group policy is not set and no logon has ever taken place, it is displayed as <not set>.
Check with PowerShell
Case of lastLogon attribute
When checking the lastLogon attribute, as mentioned earlier, the logon date/time are recorded only for the domain controller that handled the authentication request. Therefore, if you want to know the exact date/time of the last logon, you must run the PowerShell cmdlet for each domain controller. Also, it is displayed in NT time epoch, which is not intuitive.
1Get-ADUser <username> -Properties * -Server <servername> | Select-Object lastLogon
As a test, try running the PowerShell cmdlet specifying each domain controller.
1Get-ADUser administrator -Properties * -Server dc01 | Select-Object lastLogon
2
3 lastLogon
4 ---------
5133266894849485033
6
7
8Get-ADUser administrator -Properties * -Server dc02 | Select-Object lastLogon
9
10 lastLogon
11 ---------
12133266896009889700
Different results were returned. This is evidence that the attribute is not replicated and the logon date/time are recorded only on the domain controller that processed the authentication request.
Case of lastLogonTimestamp attribute
When checking the lastLogonTimestamp attribute, as mentioned above, it is updated if the lastLogonTimestamp is set to a date that is more than 9 - 14 days prior to the date/time the logon was completed. This is not suitable if you want to know the exact date/time of the last logon. It is a useful attribute under certain conditions, such as when the account is not in use and it is clear that the logon date is more than one month old. This one is also displayed in NT time epoch, so it is not intuitive.
1Get-ADUser <username> -Properties * | Select-Object lastLogonTimestamp
Case of lastLogonDate attribute
When checking with the lastLogonDate attribute, the date/time when the lastLogonTimestamp attribute is recorded is output in the standard format.
1Get-ADUser <username> -Properties * | Select-Object lastLogonDate
To output a batch of user accounts logged on before a specific date, run the following cmdlet.
1Get-ADUser -Filter * -Properties lastLogonDate `
2 | Where-Object { $_.lastLogonDate -lt "yyyy/mm/dd" } `
3 | Select-Object SamAccountName
Case of msDS-LastSuccessfulInteractiveLogonTime attribute
When checking the msDS-LastSuccessfulInteractiveLogonTime attribute, it is possible to know the exact date/time of the last logon without having to query each domain controller as with the lastLogon attribute. This is also displayed as an NT time epoch, which is not intuitive.
1Get-ADUser <username> -Properties * | Select-Object msDS-LastSuccessfulInteractiveLogonTime
Convert NT time epoch to standard format
There are many ways to convert NT time epoch, but an example conversion in PowerShell is described below.
1$epoch = Get-ADUser <username> -Properties * | Select-Object msDS-LastSuccessfulInteractiveLogonTime
2$epoch -match '\d+' # Extract only the numbers stored in the $epoch variable.
3[datetime]::FromFileTime($Matches[0]) # Convert NT time epoch.