Active Directory User Login Report with or without PowerShell

Approved By Anuraag Singh

Published On August 7th, 2024

Reading Time 9 Minutes Reading

Category Active Directory

Admins who need an Active Directory user login report often rely on PowerShell scripts. However, that’s not the only way to get that data. Multiple methods like command line, ADUC, etc which we discuss through this write-up. This will allow admins to choose the best possible approach for revealing the entry-exit timeline of various users on the Active Directory. As PowerShell is the most in-demand method let’s start from there.

Make an Active Directory User Logon Logoff Report with PowerShell

Here is a basic query that makes use of the last login parameters on a particular domain controller.

Get-ADUser -Filter * -Property lastLogoff, lastLogon | Select-Object Name,
@{Name='LastLogoff'; Expression={
$date = [DateTime]::FromFileTime($_.lastLogoff)
if ($date -eq [DateTime]::FromFileTime(0)) { "Never" } else { $date }
}},
@{Name='LastLogon'; Expression={
$date = [DateTime]::FromFileTime($_.lastLogon)
if ($date -eq [DateTime]::FromFileTime(0)) { "Never" } else { $date }
}}

This script calls the lastLogoff, and lastLogon parameters and converts them into the corresponding date-time value. The never string indicates that either the user has not logged in or not logged out.

PowerShell to Make Active Directory User Login Report

After admins add users to the active directory in bulk they often have to monitor the login activity to see whether or not extra accounts have been made. Another alternative is to count and track every login log out so that the following script is more than sufficient. However, users have to add an active directory user login report export mechanism from their end.

# Import the Active Directory module
Import-Module ActiveDirectory
# Function to get AD user login/logout history for the last 24 hours
function Get-UserLoginLogoutHistory {
    param(
        [string] $UserName,
        [switch] $LogonTypeLocal,
        [switch] $LogonTypeRemote
    )
    $startDate = (Get-Date).AddDays(-1)
    $endDate = Get-Date
    # Get security events for login success and logouts for the last 24 hours
    $filterXPath = "*[System[((EventID=4624) or (EventID=4634)) and TimeCreated[@SystemTime>='{0}' and @SystemTime<='{1}']]]" -f $startDate.ToUniversalTime().ToString("s"), $endDate.ToUniversalTime().ToString("s")
    $events = Get-WinEvent -LogName Security -FilterXPath $filterXPath -ErrorAction SilentlyContinue
    # Filter events based on username and logon type
    if ($UserName) {
        $events = $events | Where-Object { $_.Properties[5].Value -eq $UserName }
    }
    $loginEvents = @{}
    $logoutEvents = @{}
    foreach ($event in $events) {
        $samAccountName = $event.Properties[5].Value
        $sessionId = $event.Properties[7].Value
        $logonType = $event.Properties[8].Value
        # Skip if not matching LogonType filters
        if (($LogonTypeLocal -and $logonType -eq 3) -or ($LogonTypeRemote -and $logonType -ne 3)) {
            continue
        }       
        if ($event.Id -eq 4624) {  # Login event
            $loginEvents["$samAccountName-$sessionId"] = $event
        } elseif ($event.Id -eq 4634) {  # Logout event
            $logoutEvents["$samAccountName-$sessionId"] = $event
        }
    }
    # Process login events and match with logout events
    foreach ($key in $loginEvents.Keys) {
        $loginEvent = $loginEvents[$key]
        $logoutEvent = $logoutEvents[$key]
        $samAccountName = $loginEvent.Properties[5].Value
        $computer = $loginEvent.Properties[11].Value
        $logonType = if ($loginEvent.Properties[8].Value -eq 3) { "Remote" } else { "Local" }
        # Get full name to construct active directory user login report
        try {
            $adUser = Get-ADUser -Identity $samAccountName -Properties DisplayName -ErrorAction Stop
            $fullName = $adUser.DisplayName
        }
        catch {
            $fullName = "Unable to retrieve full name"
        }
        $userLogin = [PSCustomObject]@{
            "UserName" = $samAccountName
            "FullName" = $fullName
            "Computer" = $computer
            "LogonType" = $logonType
            "LoginTime" = $loginEvent.TimeCreated
            "LogoutTime" = if ($logoutEvent) { $logoutEvent.TimeCreated } else { "Session still active or logout not recorded" }
            "SessionDuration" = if ($logoutEvent) { 
                $duration = $logoutEvent.TimeCreated - $loginEvent.TimeCreated
                "{0:D2}:{1:D2}:{2:D2}" -f $duration.Hours, $duration.Minutes, $duration.Seconds
            } else { "N/A" }
        }
        Write-Output $userLogin
    }
}
# Call the Get-UserLoginLogoutHistory function with default parameters
Get-UserLoginLogoutHistory -UserName "" -LogonTypeLocal:$false -LogonTypeRemote:$false

PowerShell Script

This PowerShell script retrieves user login and logout history from Windows Security Event logs for the past 24 hours. It filters events by username and logon type (local or remote), matches login and logout events, and outputs detailed information including username, full name, computer, logon type, login/logout times, and session duration. However, beware depending on the number of events the script may stuck or take along time to execute. If PowerShell feels tight there are other code based methods that can serve as the alternatives.

Use Command Line Query and Get Active Directory User login Report

Open the command line and type

query user /SERVER:servername

Replace “username” with the one where you are tracking the user activity. However, this can only be used if your workstation is on the same network as the target AD.

If due to regulatory pressure or personal reasons admin renames an AD user using PowerShell there is always a chance that the user struggles with login errors. To make sure that this does not happen in your case formulate a checklist beforehand.

Here is an alternative bat script that makes use of the net command at the domain level to get the list of all users

@echo off
setlocal enabledelayedexpansion
echo Username,Last Logon
for /f "skip=5 tokens=1,* delims= " %%a in ('net user /domain') do (
    set "user=%%a"
    if not "!user!"=="The" if not "!user!"=="command" (
        for /f "tokens=1,* delims=:" %%i in ('net user !user! /domain ^| findstr /C:"Last logon"') do (
            set "lastlogon=%%j"
            if "!lastlogon!"=="" set "lastlogon= Never"
            echo !user!,!lastlogon!
        )
    )
)
pause

BAT script
This script limits its scope to the current machine so any login activity from outside is not reported here.

Check the Event Viewer to See the User Logon Logoff Time in AD

The Event Viewer is a default addition in all Windows machines so most likely you have it preinstalled on your system as well.

Not all user login attempts are genuine in nature so if admins identify any suspicious activity it might be a smart call to preemptively reset the user password in Active Directory at once.

This program keeps a log of all activity that occurs in the AD so every user login and log-out details can be seen from there.

Open Event Viewer > Windows Logs > Security

Search for following IDs:

4624 – Successful account logon:
4625 – Failed account logon:
4634 – Account logoff:
4647 – User-initiated logoff:
4648 – User Logon With Explicit Credentials:

In case the Event Viewer fails to display/contain the data

Then either you have selected the wrong domain controller, or the Event Viewer is yet to receive the GPO access to record the events.

In the case of the latter, the Event Viewer starts recording from that moment onwards so any previous login event won’t be visible.

If you do not want to look at every login logout but just the last one then the AD contains some inbuilt solution. So let’s see how to use it.

Traditional Way to Track User Entry-Exit in Active Directory

Your Active Directory comes with a whole host of tools and add-ons to monitor the resources. These can also be used to keep an eye on the total duration of the user activity inside AD. Use these steps to display a preliminary Active Directory User Login Report.

Open the ADUC snap-in.
Click on View and enable the Advanced Features.
Find the User in OU whose login you want to know.
Right Click > Select Properties.
Toggle the Attribute Editor tab > Type “log”
The Logon, Logoff, and Time Stamp all should be visible.

Unfortunately, this is where the use of ADUC ends. So you are stuck with a strictly view-only setup. Moreover, if you try to edit the parameter to copy it instead of the date/time you get a large inter value instead. Which is not at all useful for reporting purposes.

Combining this limitation with the time-consuming and repetitive nature of the operation it becomes quite clear why admins abandon this method from the get-go. Not to worry as we have an alternative that combines the ease.

Professionally Monitor When Logs-in and Logs-out of the Server

To make an Active Directory user login report use SysTools AD Reporting software. With a GUI-based domain setup and password-protected login mechanism, admins can track the Entry-Exit timings of all users remotely.

Apart from the basic tracking, this piece of software has a smart feature to list down all users that never logged in post account creation. So admins can use this report to delete or disable all such dormant accounts at once.

Download Now Purchase Now

Moreover, not only can this tool export Active Directory users to CSV format but also provides a glimpse at the data using its unique preview mechanism. Admins can set a custom duration or pick a pre-set time interval from 5, 7, 10, 30, 60, 90 (days), or up to a year at most. The following set of steps reveals how easy it is to operate the tool in your local environment.

Get a Script Free Active Directory User Login Report Step-By-Step

Step 1. Use the appropriate workstation to load and launch the tool. Let the administrator credentials fill in on their own then hit the Login button.

Step 2. With your cursor press the REGISTER DOMIN CONTROLLER icon to open the domain registry popup.

Step 3. Enter the Domain-friendly name and the corresponding IP address for your AD, then hit the Save and Continue button.

Step 4. The tool takes you to the Domain Details page where you need to complete admin credential validation. After that toggle the Reports tab.

Step 5. Under the Users Workload Select the “Login” category.

Step 6. Use the duration picker to select the timeline from which you want to make the Active Directory user login report

Step 7. Click on the Preview button, and take a look at the user list before the export.

Step 8. Expand the Download Report option and select CSV.

Step 9. Save the file in the intended location and open it using any spreadsheet viewer.

Conclusion

All those admins who want an Active Directory user login report can now do so in any of the five different ways that we covered here. While the Active Directory user logon logoff report PowerShell scripts and .bat files give a code-style review option, those with a non-technical background can rely on ADUC or event viewer.

However, every manual approach has one limitation or the other, with lack of remote access being the common denominator. To bypass this admins can rely on the automated alternative that gives them a user logon and logoff time report easily.