Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, January 23, 2018 12:31 PM
Hello Guys ,
i am looking for a script which can generate last log in details for a specific user for last 60 days..
anyone aware..
Thanks & Regards
Surya Mohanty
All replies (19)
Tuesday, January 23, 2018 12:45 PM
Hello Richard ,
thanks for the quick reply ..but unfortunately we don't have auditing enabled which would keep the data as events . couple of days is as far as the security events are available .
I have been informed below command could do the job
get-aduser -filter {lastlogondate -gt "1/12/2017"} -Properties lastlogondate | select Name,LastLogonDate | sort name
but it's generic where as I am looking for a specific user..
any idea ??
Tuesday, January 23, 2018 12:46 PM | 1 vote
Or, if the user login on just one computer, u can query SYSTEM event log to retrieve informations
Param (
[int]$Days = 60
)
cls
$Result = @()
Write-Host "Gathering Event Logs, this can take awhile..."
$ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days)
If ($ELogs)
{ Write-Host "Processing..."
ForEach ($Log in $ELogs)
{ If ($Log.InstanceId -eq 7001)
{ $ET = "Logon"
}
ElseIf ($Log.InstanceId -eq 7002)
{ $ET = "Logoff"
}
Else
{ Continue
}
$Result += New-Object PSObject -Property @{
Time = $Log.TimeWritten
'Event Type' = $ET
User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
$Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
Write-Host "Done."
}
Else
{ Write-Host "Problem :)"
}
Tuesday, January 23, 2018 12:48 PM
Thanks Mekac ,
is it a ps script ??
Tuesday, January 23, 2018 1:01 PM
Thanks Richard..but I am looking for logon events for last month or so..the above command only gives the last successful login..
Tuesday, January 23, 2018 1:02 PM
hello Mekac ,
i have ran it on my personal machine which generates report going back to 12/01/2018..so not sure..is it because i have system event present until the date..!!!
Tuesday, January 23, 2018 1:37 PM
sure u have eventId 7001 before 12/01/2018 in your system log?
Tuesday, January 23, 2018 2:01 PM
yes ,the last event 7001 is present on 12/01/2018..so i guess that's the reason the event goes as far as the date.
Tuesday, January 23, 2018 2:02 PM
Thanks a lot Richard..I will check and see if we can amend the logon script to include the same.
Wednesday, January 24, 2018 5:23 AM
Hi,
I'm checking how the issue is going, was your issue resolved?
And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.
Appreciate for your feedback.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, January 24, 2018 7:38 AM
hi Joelbarlow ,
much appreciate your guidance here..
for the script , I am getting below error
"
dsquery failed:'-attr' is an unknown parameter.
type dsquery /? for help.PS C:\Users\******>
2. Thanks for sharing http://gallery.technet.microsoft.com/scriptcenter/1596233c-2f4e-40a5-83cf-4d3265b01d26..&
https://www.lepide.com/how-to/track-last-logon-date-and-time-for-active-directory-users.html..
but i am looking to query in one domain only ..one user
so appreciate if you can provide me the script to get the details.
Wednesday, January 24, 2018 10:48 AM
Get-ADUser -Filter *| Where LastLogonDate -le (Get-Date).AddDays(-60) | Out-File C:\Text.txt
This Should work, and generate a .txt file with the information.
Wednesday, January 24, 2018 10:53 AM
Thanks m8..
but I think the above will generate the report for all the users which would be time consuming and slow the server..so is there anyway we can filter out for a single user ..??
Wednesday, January 24, 2018 11:27 AM
Hi Surya,
Based on my research, I'd like to explain that Richard's logon script is the easiest way to achieve your requirement. The following article for your reference:
Record Logon / Logoff Activities on Domain Servers and Workstations Using Group Policy
https://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
In addition, the LastLogonTimeStamp and LastLogonDate is calculated by LastLogon, and their values are different. But even LastLogon is not equal to the actual logon time. You can have a try to run the following command to connect to a shared folder with a specific user credential and see if his LastLogon is updated:
net use \sharefolder /user:userA
For more information, you may refer to this link:
Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx
By the way, to determine the user logon time by event log, the correct Event is 4624 with LogonType 2 or 10, you can use the following command to get this event:
Get-WinEvent -FilterHashtable @{LogName = 'Security'; Id = 4624}
You can refer to the following link for details:
4624(S): An account was successfully logged on.
/en-us/windows/device-security/auditing/event-4624
If you have any updates during this process, please feel free to let me know.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, January 24, 2018 12:31 PM
Thanks a lot Albert..
I will follow through the instruction and advise you on the outcome..
Friday, January 26, 2018 5:08 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, January 30, 2018 6:20 AM
Hi,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Appreciate for your feedback.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, January 31, 2018 12:47 PM
hello Albert ,
First of all thank you for helping me out here..
Though i didn't get what I was looking for , but it helps ..So I am thankful for it .
:)
Thursday, February 1, 2018 1:46 AM
Hi Surya,
If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, February 1, 2018 11:49 AM
Thanks Albert