Table of Contents<\/strong><\/p>\n This will allow admins to choose the best possible approach for revealing the entry-exit timeline of various users on the Active Directory. As PowerShell is the most in-demand method let’s start from there.<\/p>\n Here is a basic query that uses the last login parameters on a particular domain controller.<\/p>\n This script calls the lastLogoff, and lastLogon parameters and converts them into the corresponding date-time value. The never string indicates that either the user has not logged in or not logged out.<\/p>\n After admins add users to the active directory in bulk<\/a> they often have to monitor the login activity to see if those accounts are being used or not.<\/p>\n For that, you can count and track every login and log out individually. So for that admins have to add an Active Directory user login report export mechanism from their end.<\/p>\n This PowerShell script retrieves user login and logout history from Windows Security Event logs for the past 24 hours. It filters events by username and logon type (local or remote), matches login and logout events, and outputs detailed information including username, full name, computer, logon type, login\/logout times, and session duration.<\/p>\n However, beware depending on the number of events the script may stuck or take a long time to execute. If PowerShell feels tight there are other code-based methods that can serve as the alternatives.<\/p>\n Open the command line and type<\/p>\n Replace \u201cservername\u201d with the one where you are tracking the user activity. However, keep in mind this query can only be used if your workstation is on the same network as the target AD.<\/p>\n If due to regulatory pressure or personal reasons admin renames an\u00a0 AD user using PowerShell<\/a> there is always a chance that the user struggles with login errors. To make sure that this does not happen in your case formulate a checklist beforehand.<\/p>\n Here is an alternative bat script that makes use of the net command at the domain level to get the list of all users<\/p>\n The Event Viewer is a default addition in all Windows machines so most likely you have it preinstalled on your system as well.<\/p>\n Not all user login attempts are genuine in nature so if admins identify any suspicious activity it might be a smart call to preemptively reset the user password in Active Directory<\/a> at once.<\/p>\n This program keeps a log of all activity that occurs in the AD so every user login and log-out details can be seen from there.<\/p>\n Open Event Viewer > Windows Logs > Security<\/p>\n Search for the following IDs:<\/p>\n In case the Event Viewer fails to display\/contain the data<\/p>\n Then either you have selected the wrong domain controller, or the Event Viewer is yet to receive the GPO access to record the events.<\/p>\n In the case of the latter, the Event Viewer starts recording from that moment onwards so any previous login event won’t be visible.<\/p>\n If you do not want to look at every login logout but just the last one then the AD contains some inbuilt solution. So let’s see how to use it.<\/p>\n Your Active Directory comes with a whole host of tools and add-ons to monitor the resources. These can also be used to keep an eye on the total duration of the user activity inside AD. Use these steps to display a preliminary Active Directory User Login Report.<\/p>\n <\/p>\n Unfortunately, this is where the Active Directory log user logon logoff with ADUC ends. So you are stuck with a strictly view-only setup. Moreover, if you try to edit the parameter to copy it instead of the date\/time you get a large inter value instead. Which is not at all useful for reporting purposes.<\/p>\n Combining this limitation with the time-consuming and repetitive nature of the operation it becomes quite clear why admins abandon this method from the get-go. Not to worry as we have an alternative that combines the ease.<\/p>\n To make an Active Directory user login report use SysTools AD Reporting software<\/strong>. With a GUI-based domain setup and password-protected login mechanism, admins can track the Entry-Exit timings of all users remotely.<\/p>\n Apart from the basic tracking, this piece of software has a smart feature to list down all users that never logged in post account creation. So admins can use this report to delete or disable all such dormant accounts at once.<\/p>\n\n
Make an Active Directory User Logon Logoff Report with PowerShell<\/h2>\n
Get-ADUser -Filter * -Property lastLogoff, lastLogon | Select-Object Name,\r\n@{Name='LastLogoff'; Expression={\r\n$date = [DateTime]::FromFileTime($_.lastLogoff)\r\nif ($date -eq [DateTime]::FromFileTime(0)) { \"Never\" } else { $date }\r\n}},\r\n@{Name='LastLogon'; Expression={\r\n$date = [DateTime]::FromFileTime($_.lastLogon)\r\nif ($date -eq [DateTime]::FromFileTime(0)) { \"Never\" } else { $date }\r\n}}\r\n<\/pre>\n![\"PowerShell](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/ad-user-login-pwrshl-code.webp\")
<\/p>\n# Import the Active Directory module\r\nImport-Module ActiveDirectory\r\n# Function to get AD user login\/logout history for the last 24 hours\r\nfunction Get-UserLoginLogoutHistory {\r\n \u00a0\u00a0\u00a0param(\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[string] $UserName,\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[switch] $LogonTypeLocal,\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0[switch] $LogonTypeRemote\r\n \u00a0\u00a0\u00a0)\r\n \u00a0\u00a0\u00a0$startDate = (Get-Date).AddDays(-1)\r\n \u00a0\u00a0\u00a0$endDate = Get-Date\r\n \u00a0\u00a0\u00a0# Get security events for login success and logouts for the last 24 hours\r\n \u00a0\u00a0\u00a0$filterXPath = \"*[System[((EventID=4624) or (EventID=4634)) and TimeCreated[@SystemTime>='{0}' and @SystemTime<='{1}']]]\" -f $startDate.ToUniversalTime().ToString(\"s\"), $endDate.ToUniversalTime().ToString(\"s\")\r\n \u00a0\u00a0\u00a0$events = Get-WinEvent -LogName Security -FilterXPath $filterXPath -ErrorAction SilentlyContinue\r\n \u00a0\u00a0\u00a0# Filter events based on username and logon type\r\n \u00a0\u00a0\u00a0if ($UserName) {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$events = $events | Where-Object { $_.Properties[5].Value -eq $UserName }\r\n \u00a0\u00a0\u00a0}\r\n \u00a0\u00a0\u00a0$loginEvents = @{}\r\n \u00a0\u00a0\u00a0$logoutEvents = @{}\r\n \u00a0\u00a0 foreach ($event in $events) {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$samAccountName = $event.Properties[5].Value\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$sessionId = $event.Properties[7].Value\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$logonType = $event.Properties[8].Value\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Skip if not matching LogonType filters\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (($LogonTypeLocal -and $logonType -eq 3) -or ($LogonTypeRemote -and $logonType -ne 3)) {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0continue\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if ($event.Id -eq 4624) {\u00a0 # Login event\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$loginEvents[\"$samAccountName-$sessionId\"] = $event\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} elseif ($event.Id -eq 4634) {\u00a0 # Logout event\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$logoutEvents[\"$samAccountName-$sessionId\"] = $event\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n \u00a0\u00a0 }\r\n \u00a0\u00a0\u00a0# Process login events and match with logout events\r\n \u00a0\u00a0\u00a0foreach ($key in $loginEvents.Keys) {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$loginEvent = $loginEvents[$key]\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$logoutEvent = $logoutEvents[$key]\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$samAccountName = $loginEvent.Properties[5].Value\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$computer = $loginEvent.Properties[11].Value\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$logonType = if ($loginEvent.Properties[8].Value -eq 3) { \"Remote\" } else { \"Local\" }\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Get full name to construct active directory user login report\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$adUser = Get-ADUser -Identity $samAccountName -Properties DisplayName -ErrorAction Stop\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$fullName = $adUser.DisplayName\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch {\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$fullName = \"Unable to retrieve full name\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$userLogin = [PSCustomObject]@{\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"UserName\" = $samAccountName\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"FullName\" = $fullName\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Computer\" = $computer\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"LogonType\" = $logonType\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"LoginTime\" = $loginEvent.TimeCreated\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"LogoutTime\" = if ($logoutEvent) { $logoutEvent.TimeCreated } else { \"Session still active or logout not recorded\" }\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"SessionDuration\" = if ($logoutEvent) {\u00a0\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$duration = $logoutEvent.TimeCreated - $loginEvent.TimeCreated\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"{0:D2}:{1:D2}:{2:D2}\" -f $duration.Hours, $duration.Minutes, $duration.Seconds\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} else { \"N\/A\" }\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Write-Output $userLogin\r\n \u00a0\u00a0\u00a0}\r\n}\r\n# Call the Get-UserLoginLogoutHistory function with default parameters\r\nGet-UserLoginLogoutHistory -UserName \"\" -LogonTypeLocal:$false -LogonTypeRemote:$false<\/pre>\n![\"PowerShell](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/ad-user-login-pwrshl.webp\")
<\/p>\nUse Command Line Query and Get Active Directory User login Report<\/h2>\n
query user \/SERVER:servername<\/pre>\n
@echo off\r\nsetlocal enabledelayedexpansion\r\necho Username,Last Logon\r\nfor \/f \"skip=5 tokens=1,* delims= \" %%a in ('net user \/domain') do (\r\n \u00a0\u00a0\u00a0set \"user=%%a\"\r\n \u00a0\u00a0\u00a0if not \"!user!\"==\"The\" if not \"!user!\"==\"command\" (\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0for \/f \"tokens=1,* delims=:\" %%i in ('net user !user! \/domain ^| findstr \/C:\"Last logon\"') do (\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0set \"lastlogon=%%j\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if \"!lastlogon!\"==\"\" set \"lastlogon= Never\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0echo !user!,!lastlogon!\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0)\r\n \u00a0\u00a0\u00a0)\r\n)\r\npause<\/pre>\n![\"BAT](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/ad-user-login-cmd-bat.webp\")
\nThis script limits its scope to the current machine so any login activity from outside is not reported here.<\/p>\nCheck the Event Viewer to See the User Logon Logoff Time in AD<\/h3>\n
\n
Traditional Way to Track User Entry-Exit in Active Directory<\/h3>\n
\n
\n![\"ADUC](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/aduc-1.webp\")
<\/li>\n
\n![\"User](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/aduc-2.webp\")
<\/li>\n
\n![\"Preliminary](\"https:\/\/www.systools.in\/blog\/wp-content\/uploads\/2024\/08\/aduc-3.webp\")
<\/li>\n<\/ul>\nProfessionally Monitor When Logs-in and Logs-out of the Server<\/h3>\n
![\"Type](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-1.webp\")
<\/p>\n![\"Press](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-6.webp\")
<\/p>\n![\"Save](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-8.webp\")
<\/p>\n![\"Toggle](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-10.webp\")
<\/p>\n![\"User\"](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-12.webp\")
<\/p>\n![\"preset](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-12-6.webp\")
<\/p>\n![\"successful](\"https:\/\/systoolskart.com\/imgp\/ad-reporter\/step-22.webp\")
<\/p>\n