The Active Directory administrator must periodically disable and inactivate objects in AD. In this article, we will show how to get the last logon time for the AD domain user and find accounts that have been inactive for more than 90 days.
How to Get Last Logged on User Using ADUC?
You can find out the last logon time for the domain user with the ADUC graphical console (Active Directory Users and Computers).
- Run the console dsa.msc;
- In the top menu, enable the option View > Advanced Features;
- In the AD tree, select the user and open its properties;
- Click on the tab Attribute Editor;
- In the list of attributes, find lastLogon. This attribute contains the time the user was last logged in the domain.
Find Last Logon Time Using CMD
You can find out the time the user last logged into the domain from the command line using the net or dsquery tools.
Open a command prompt (you don’t need domain administrator privileges to get AD user info) and run the command:
net user administrator /domain| findstr "Last"
You got the user last login time: 08.08.2019 11:14:13.
You can also get the last login time using dsquery. For example:
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=administrator))" -attr distinguishedName lastLogon lastLogonTimestamp -limit 0
The main problem is that the attributes lastLogon and lastLogonTimestamp in AD are stored in timestamp format and you need to additionally convert it to a normal time format.
You can also use this command to find all users who are inactive, for example, for 10 weeks:
dsquery user domainroot -inactive 10
Find Last Logon Time Using PowerShell
You can also use PowerShell to get the user last domain logon time. For this, you need to use
Active Directory module for Windows PowerShell. Install this module and import it into your PowerShell session:
Import-Module ActiveDirectory
To find the last logon time for the domain administrator account, run the command:
Get-ADUser -Identity administrator -Properties LastLogon
The cmdlet returned the time in Timestamp format. To convert it to normal time use the following command:
Get-ADUser -Filter {Name -eq "administrator"} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}
Using PowerShell, you can display Lastlogon time for all enabled domain users:
Get-ADUser -filter {enabled -eq $true} -Properties * | Select-Object Name, @{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon)}}|Sort-Object LastLogon -Descending
Or you can find users who are inactive for more than 90 days:
$date1= (Get-Date).AddDays(-90)
Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $date1} | ft
