Active Directory User Login Report with or without PowerShell
Admins who need an Active Directory user login report often rely on PowerShell scripts. However, that’s not the only way to get that data. Multiple methods like command line, ADUC, etc which we discuss through this write-up.
This will allow admins to choose the best possible approach for revealing the entry-exit timeline of various users on the Active Directory. As PowerShell is the most in-demand method let’s start from there.
Make an Active Directory User Logon Logoff Report with PowerShell
Here is a basic query that uses the last login parameters on a particular domain controller.
Get-ADUser -Filter * -Property lastLogoff, lastLogon | Select-Object Name,
@{Name='LastLogoff'; Expression={
$date = [DateTime]::FromFileTime($_.lastLogoff)
if ($date -eq [DateTime]::FromFileTime(0)) { "Never" } else { $date }
}},
@{Name='LastLogon'; Expression={
$date = [DateTime]::FromFileTime($_.lastLogon)
if ($date -eq [DateTime]::FromFileTime(0)) { "Never" } else { $date }
}}
This script calls the lastLogoff, and lastLogon parameters and converts them into the corresponding date-time value. The never string indicates that either the user has not logged in or not logged out.
After admins add users to the active directory in bulk they often have to monitor the login activity to see if those accounts are being used or not.
For that, you can count and track every login and log out individually. So for that admins have to add an Active Directory user login report export mechanism from their end.
# Import the Active Directory module
Import-Module ActiveDirectory
# Function to get AD user login/logout history for the last 24 hours
function Get-UserLoginLogoutHistory {
param(
[string] $UserName,
[switch] $LogonTypeLocal,
[switch] $LogonTypeRemote
)
$startDate = (Get-Date).AddDays(-1)
$endDate = Get-Date
# Get security events for login success and logouts for the last 24 hours
$filterXPath = "*[System[((EventID=4624) or (EventID=4634)) and TimeCreated[@SystemTime>='{0}' and @SystemTime<='{1}']]]" -f $startDate.ToUniversalTime().ToString("s"), $endDate.ToUniversalTime().ToString("s")
$events = Get-WinEvent -LogName Security -FilterXPath $filterXPath -ErrorAction SilentlyContinue
# Filter events based on username and logon type
if ($UserName) {
$events = $events | Where-Object { $_.Properties[5].Value -eq $UserName }
}
$loginEvents = @{}
$logoutEvents = @{}
foreach ($event in $events) {
$samAccountName = $event.Properties[5].Value
$sessionId = $event.Properties[7].Value
$logonType = $event.Properties[8].Value
# Skip if not matching LogonType filters
if (($LogonTypeLocal -and $logonType -eq 3) -or ($LogonTypeRemote -and $logonType -ne 3)) {
continue
}
if ($event.Id -eq 4624) { # Login event
$loginEvents["$samAccountName-$sessionId"] = $event
} elseif ($event.Id -eq 4634) { # Logout event
$logoutEvents["$samAccountName-$sessionId"] = $event
}
}
# Process login events and match with logout events
foreach ($key in $loginEvents.Keys) {
$loginEvent = $loginEvents[$key]
$logoutEvent = $logoutEvents[$key]
$samAccountName = $loginEvent.Properties[5].Value
$computer = $loginEvent.Properties[11].Value
$logonType = if ($loginEvent.Properties[8].Value -eq 3) { "Remote" } else { "Local" }
# Get full name to construct active directory user login report
try {
$adUser = Get-ADUser -Identity $samAccountName -Properties DisplayName -ErrorAction Stop
$fullName = $adUser.DisplayName
}
catch {
$fullName = "Unable to retrieve full name"
}
$userLogin = [PSCustomObject]@{
"UserName" = $samAccountName
"FullName" = $fullName
"Computer" = $computer
"LogonType" = $logonType
"LoginTime" = $loginEvent.TimeCreated
"LogoutTime" = if ($logoutEvent) { $logoutEvent.TimeCreated } else { "Session still active or logout not recorded" }
"SessionDuration" = if ($logoutEvent) {
$duration = $logoutEvent.TimeCreated - $loginEvent.TimeCreated
"{0:D2}:{1:D2}:{2:D2}" -f $duration.Hours, $duration.Minutes, $duration.Seconds
} else { "N/A" }
}
Write-Output $userLogin
}
}
# Call the Get-UserLoginLogoutHistory function with default parameters
Get-UserLoginLogoutHistory -UserName "" -LogonTypeLocal:$false -LogonTypeRemote:$false
This PowerShell script retrieves user login and logout history from Windows Security Event logs for the past 24 hours. It filters events by username and logon type (local or remote), matches login and logout events, and outputs detailed information including username, full name, computer, logon type, login/logout times, and session duration.
However, beware depending on the number of events the script may stuck or take a long time to execute. If PowerShell feels tight there are other code-based methods that can serve as the alternatives.
Use Command Line Query and Get Active Directory User login Report
Open the command line and type
query user /SERVER:servername
Replace “servername” with the one where you are tracking the user activity. However, keep in mind this query can only be used if your workstation is on the same network as the target AD.
If due to regulatory pressure or personal reasons admin renames an AD user using PowerShell there is always a chance that the user struggles with login errors. To make sure that this does not happen in your case formulate a checklist beforehand.
Here is an alternative bat script that makes use of the net command at the domain level to get the list of all users
@echo off
setlocal enabledelayedexpansion
echo Username,Last Logon
for /f "skip=5 tokens=1,* delims= " %%a in ('net user /domain') do (
set "user=%%a"
if not "!user!"=="The" if not "!user!"=="command" (
for /f "tokens=1,* delims=:" %%i in ('net user !user! /domain ^| findstr /C:"Last logon"') do (
set "lastlogon=%%j"
if "!lastlogon!"=="" set "lastlogon= Never"
echo !user!,!lastlogon!
)
)
)
pause
This script limits its scope to the current machine so any login activity from outside is not reported here.
Check the Event Viewer to See the User Logon Logoff Time in AD
The Event Viewer is a default addition in all Windows machines so most likely you have it preinstalled on your system as well.
Not all user login attempts are genuine in nature so if admins identify any suspicious activity it might be a smart call to preemptively reset the user password in Active Directory at once.
This program keeps a log of all activity that occurs in the AD so every user login and log-out details can be seen from there.
Open Event Viewer > Windows Logs > Security
Search for the following IDs:
- 4624 – Successful account logon:
- 4625 – Failed account logon:
- 4634 – Account logoff:
- 4647 – User-initiated logoff:
- 4648 – User Logon With Explicit Credentials:
In case the Event Viewer fails to display/contain the data
Then either you have selected the wrong domain controller, or the Event Viewer is yet to receive the GPO access to record the events.
In the case of the latter, the Event Viewer starts recording from that moment onwards so any previous login event won’t be visible.
If you do not want to look at every login logout but just the last one then the AD contains some inbuilt solution. So let’s see how to use it.
Traditional Way to Track User Entry-Exit in Active Directory
Your Active Directory comes with a whole host of tools and add-ons to monitor the resources. These can also be used to keep an eye on the total duration of the user activity inside AD. Use these steps to display a preliminary Active Directory User Login Report.
- Open the ADUC snap-in.
- Click on View and enable the Advanced Features.
- Find the User in OU whose login you want to know.
- Right Click > Select Properties.
- Toggle the Attribute Editor tab > Type “log”
- The Logon, Logoff, and Time Stamp all should be visible.
Unfortunately, this is where the use of ADUC ends. So you are stuck with a strictly view-only setup. Moreover, if you try to edit the parameter to copy it instead of the date/time you get a large inter value instead. Which is not at all useful for reporting purposes.
Combining this limitation with the time-consuming and repetitive nature of the operation it becomes quite clear why admins abandon this method from the get-go. Not to worry as we have an alternative that combines the ease.
Professionally Monitor When Logs-in and Logs-out of the Server
To make an Active Directory user login report use SysTools AD Reporting software. With a GUI-based domain setup and password-protected login mechanism, admins can track the Entry-Exit timings of all users remotely.
Apart from the basic tracking, this piece of software has a smart feature to list down all users that never logged in post account creation. So admins can use this report to delete or disable all such dormant accounts at once.
Moreover, not only can this tool export Active Directory users to CSV format but also provides a glimpse at the data using its unique preview mechanism. Admins can set a custom duration or pick a pre-set time interval from 5, 7, 10, 30, 60, 90 (days), or up to a year at most. The following set of steps reveals how easy it is to operate the tool in your local environment.
Get a Script Free Active Directory User Login Report Step-By-Step
Step 1. Use the appropriate workstation to load and launch the tool. Let the administrator credentials fill in on their own then hit the Login button.
Step 2. With your cursor press the REGISTER DOMIN CONTROLLER icon to open the domain registry popup.
Step 3. Enter the Domain-friendly name and the corresponding IP address for your AD, then hit the Save and Continue button.
Step 4. The tool takes you to the Domain Details page where you need to complete admin credential validation. After that toggle the Reports tab.
Step 5. Under the Users Workload Select the “Login” category.
Step 6. Use the duration picker to select the timeline from which you want to make the Active Directory user login report.
Step 7. Click on the Preview button, and take a look at the user list before the export.
Step 8. Expand the Download Report option and select CSV.
Step 9. Save the file in the intended location and open it using any spreadsheet viewer.
Conclusion
All those admins who want an Active Directory user login report can now do so in any of the five different ways that we covered here. While the Active Directory user logon logoff report PowerShell scripts and .bat files give a code-style review option, those with a non-technical background can rely on ADUC or event viewer.
However, every manual approach has one limitation or the other, with lack of remote access being the common drawback in every single one. Therefore, to bypass this admins can rely on the automated alternative that gives them a user logon and logoff time report easily.
Frequently Asked Questions on Active Directory User Login Reports?
Can I get User Login Logoff Information via the Active Directory Administrative Center?
Yes, if you are an administrator or someone with equivalent access, you can track user login logout activity from the ADAC as well.
For that, launch the portal > use the Global Search to find the correct user.
Is it possible to see from where a User login attempt is being made in AD?
You can identify the computer on which the user is trying to log in. However, regarding the physical location, Active Directory does not have the capability to geolocate login attempts.
How many Active Directory login logout events can be registered in the Event Viewer?
If you are seeing an unusually high amount of login attempts, especially at odd hours, it does not always mean a hacking attempt. It has been a known issue that when users have their phones connected to the Exchange server and have had their password changed, the phone keeps a cached copy of old credentials, which it uses to connect to the server continuously.
