How to check the last login date for users in Acitive Directory

Overview


The LDAP database used by Active Directory records the date/time of a user's last logon. The purposes of last logon date/time may include the following.

  • Improving security
    If there are no regular logons, the user account may no longer be needed. Disabling or deleting the account may enhance security.

  • Audit Purpose
    This is used to report the last logon date/time of a user account according to the organization's security policy.

This article describes the LDAP attribute where the last logon date/time are recorded and how to find the last logon date/time.




LDAP attributes for which the last logon date/time is recorded

The LDAP attributes for which the last logon date/time are recorded are listed below.

Only recorded on the domain controller that processed the authentication request.

Attributes Description
lastLogon Last logon time is recorded in NT time epoch(*1).
Not subject to Active Directory replication.
Only recorded on the domain controller that processed the authentication request.
lastLogonTimestamp Last logon time is recorded in NT time epoch(*1).
Subject to Active Directory replication.
Updated if lastLogonTimestamp is set to a date/time more than 9 - 14 days prior to the date/time the logon was completed.
lastLogonDate The time of the NT time epoch recorded in lastLogonTimestamp and displayed in the standard format.
msDS-LastSuccessfulInteractiveLogonTime Last logon time is recorded in NT time epoch(*1).
Subject to Active Directory replication.
Must be set by group policy.

*1 It is displayed in standard view in Active Directory Management Center and other places, and in NT time epoch in command tools such as PowerShell.


Enable msDS-LastSuccessfulInteractiveLogonTime attribute

As mentioned earlier, to use the msDS-LastSuccessfulInteractiveLogonTime attribute, a group policy must be set and applied to the domain controller.

Settings
  1. Open [Group Policy Management Editor].
  2. In [Computer Configuration] -> [Policies] -> [System] -> [KDC] 、[Provide information about previous logons to client computers] is enabled.
Group Policy
3. Apply the created group policy object to the domain controller.


Check with Administrative tools

If you want to check with administrative tools, use [Active Directory Administrative Center] or [Active Directory Users and Computers] tools. You can view each attribute in the Attribute Editor tab of the user account.
* Image from Active Directory Administrative Center

lastLogon / lastLogonTimestamp 属性

There is a discrepancy between the date/time of the lastLogon attribute and the lastLogonTimestamp attribute, because the lastLogonTimestamp attribute was not updated.

msDS-LastSuccessfulInteractiveLogonTime 属性

The logon date/time are recorded in the msDS-LastSuccessfulInteractiveLogonTime attribute. If the group policy is not set and no logon has ever taken place, it is displayed as <not set>.


Check with PowerShell

Case of lastLogon attribute

When checking the lastLogon attribute, as mentioned earlier, the logon date/time are recorded only for the domain controller that handled the authentication request. Therefore, if you want to know the exact date/time of the last logon, you must run the PowerShell cmdlet for each domain controller. Also, it is displayed in NT time epoch, which is not intuitive.

1Get-ADUser <username> -Properties * -Server <servername> | Select-Object lastLogon


As a test, try running the PowerShell cmdlet specifying each domain controller.
 1Get-ADUser administrator -Properties * -Server dc01 | Select-Object lastLogon
 2
 3         lastLogon
 4         ---------
 5133266894849485033
 6
 7
 8Get-ADUser administrator -Properties * -Server dc02 | Select-Object lastLogon
 9
10         lastLogon
11         ---------
12133266896009889700

Different results were returned. This is evidence that the attribute is not replicated and the logon date/time are recorded only on the domain controller that processed the authentication request.


Case of lastLogonTimestamp attribute

When checking the lastLogonTimestamp attribute, as mentioned above, it is updated if the lastLogonTimestamp is set to a date that is more than 9 - 14 days prior to the date/time the logon was completed. This is not suitable if you want to know the exact date/time of the last logon. It is a useful attribute under certain conditions, such as when the account is not in use and it is clear that the logon date is more than one month old. This one is also displayed in NT time epoch, so it is not intuitive.

1Get-ADUser <username> -Properties * | Select-Object lastLogonTimestamp

Case of lastLogonDate attribute

When checking with the lastLogonDate attribute, the date/time when the lastLogonTimestamp attribute is recorded is output in the standard format.

1Get-ADUser <username> -Properties * | Select-Object lastLogonDate

To output a batch of user accounts logged on before a specific date, run the following cmdlet.

1Get-ADUser -Filter * -Properties lastLogonDate `
2 | Where-Object { $_.lastLogonDate -lt "yyyy/mm/dd" } `
3 | Select-Object SamAccountName

Case of msDS-LastSuccessfulInteractiveLogonTime attribute

When checking the msDS-LastSuccessfulInteractiveLogonTime attribute, it is possible to know the exact date/time of the last logon without having to query each domain controller as with the lastLogon attribute. This is also displayed as an NT time epoch, which is not intuitive.

1Get-ADUser <username> -Properties * | Select-Object msDS-LastSuccessfulInteractiveLogonTime

Convert NT time epoch to standard format

There are many ways to convert NT time epoch, but an example conversion in PowerShell is described below.

1$epoch = Get-ADUser <username> -Properties * | Select-Object msDS-LastSuccessfulInteractiveLogonTime
2$epoch -match '\d+' # Extract only the numbers stored in the $epoch variable.
3[datetime]::FromFileTime($Matches[0]) # Convert NT time epoch.

Reference


Translations: