Active Directory

How to Get User Logon History in Active Directory

Investigating account lockouts or detecting suspicious access often requires reviewing user logon events. Logon history reveals access patterns and helps determine whether users are interacting with authorized resources or violating policies. To access this crucial data, configuring the appropriate audit policies on domain controllers is key. This guide will show you how to audit user logon history in Active Directory effectively.

View User Logon History Using Event Viewer in Windows Server

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

Open Event Viewer by searching for it in the Start menu or typing eventvwr.msc in the Run dialog (Win + R).
Navigate to the Windows Logs»Security and select 'Filter Current Log' from the Actions pane.
In the Filter window, enter the following IDs as comma-separated values in the Event ID field as shown below and click OK.
4624, 4625, 4648
- 4624: Successful account logon.
- 4625: Failed account logon.
- 4648: Logon attempted using explicit credentials.
Review the filtered events to analyze the user logon activities in the Active Directory environment.

View User Logon History Using Event Viewer in Windows Server

Note: To get the logon events of all users in Active Directory with sufficient details, you need to query each domain controller as well as the member workstations or servers.

Get User Logon History Using Active Directory PowerShell

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

Execute the following PowerShell script to retrieve the logon events for a specific user in Active Directory.
Before running the script, ensure you replace UserName, StartDate, and EndDate with the appropriate values.

Windows PowerShell

 $user = "<UserName>" 
                            $startDate = "<YYYY-MM-DD>"
                            $endDate = "<YYYY-MM-DD>"
                            Get-WinEvent -LogName Security |
                            Where-Object { 
                                    $_.Id -in 4624,4625,4648 -and 
                                    $_.TimeCreated -ge (Get-Date $startDate) -and 
                                    $_.TimeCreated -le (Get-Date $endDate) -and 
                            $_.Message -like "*$user*"
                            } | Select-Object TimeCreated, Id, Message

Simple & Quick
Check User Login History Using AdminDroid 365

AdminDroid Permission Required Delegated

Any user with report access assigned by the Super Admin.

Log in to the AdminDroid Active Directory portal.
Navigate to the All Account Logons report under the AD Audit »Logon Audit Events »User Logons »All Logons.
This report provides a detailed overview of all successful and failed logons in Active Directory, highlighting logon time, account name, target domain, logon type, domain name, computer used, and more.

Check User Login History Using AdminDroid 365

AdminDroid Active Directory Reporter

Audit User Logon Events in Active Directory with AdminDroid

AdminDroid’s Active Directory auditing tool provides deeper insights into logon events. It offers detailed reports on all logons, including successful and failed logins, logons with explicit credentials, user-initiated logoffs, and more.

Detect Remote Logon Failures in AD to Prevent Breaches

Monitor failed remote logins in Active Directory to detect compromised credentials, identify brute-force attacks, and address misconfigured remote access settings.

Audit Daily User Logons to Track Security Violations

Analyze both successful and failed logons in Active Directory using AdminDroid's daily logon summary report to find abnormal logon patterns and identify compromised accounts before escalation.

Find Logon Failures Due to Invalid Credentials

Identify logon failures due to invalid credentials using AdminDroid to quickly detect password spraying attacks, misconfigured user accounts, and other security risks.

Track All Logon Restrictions in Active Directory

Analyze the all logon restrictions summary report to review restrictions applied to Active Directory users and ensure compliance with security policies.

Monitor AD Special Group Logons to Prevent Privilege Misuse

Discover logons of special group members in Active Directory to monitor sensitive resource access, track highly privileged account activity, and detect security threats.

Identify Login Denied Users for Faster Logon Failure Investigation

Identify login denied users due to expired passwords, disabled accounts, lockouts, and other causes to quickly resolve authentication issues in Active Directory.

In conclusion, AdminDroid streamlines tracking user login history with detailed reports to identify security risks and ensure compliance. Its advanced features and intuitive interface make monitoring sign-ins and managing user activity effortless.

Explore a full range of reporting options

Download Live Demo

Important Tips

Monitor users allowed to log in to all computers in your Active Directory to ensure only authorized users have access and reduce the attack surface.

Restrict administrator logon access to lower-trust servers and workstations to prevent the risk of high-privileged credential thefts.

Find users with logon scripts to ensure they are optimized and error-free, as poorly designed scripts can cause logon delays or failures under certain conditions.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while managing Active Directory user logon activity.

Error String was not recognized as a valid DateTime.

The error occurs when an invalid date format is entered while retrieving specific user logon activity in PowerShell.

Fix Enter the date in the system's expected format, such as YYYY-MM-DD.

Error The system administrator has restricted the times during which you may log in. Try logging in later.

Users may encounter this issue when attempting to log on during restricted hours in Active Directory.

Fix Check the logon hours configured in your Active Directory and adjust them with admin permissions to resolve the issue.

Error Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied.

This error occurs when you attempt to access Event Viewer without the proper permissions to monitor user logon events.

Fix Verify that the account has the necessary permissions in Active Directory to access security event logs.

Error You do not have permission to change the Logon Hours attribute, your changes will not be saved.

This issue occurs when attempting to change the logon hours of a user in Active Directory Users and Computers MMC snap-in without the necessary permissions.

Fix Make sure your account has administrative rights to modify user properties before proceeding to update the logon hours for a user.

Active Directory

Frequently Asked Questions

Check User Logon History in Active Directory to Investigate Suspicious Logons

How to enable user logon auditing in Active Directory?

What are the types of logons in Active Directory?

How to find the source of failed logon attempts in Active Directory?

How to restrict user logons to specific computers in Active Directory?

How to restrict logon hours for a user in Active Directory?

How to find a user's last logon time in Active Directory

1. How to enable user logon auditing in Active Directory?

Enabling Active Directory user logon auditing is crucial for monitoring logon events in the Event Viewer. It helps admins check the logon history of AD users to monitor unauthorized access, login failures, and suspicious activities. Follow these steps to enable the accounts logon auditing via Group Policy Object.

Enable logon auditing in Active Directory

Open the Group Policy Management console by executing gpmc.msc in the Run dialog and pressing Enter.
To audit all user logons in your domain, right-click the domain and select "Create a GPO in this domain, and Link it here" to complete the process.
Name your GPO and click OK. Then, right-click on the new GPO and select Edit.

In the Group Policy Management Editor window, navigate to the audit policy using the following path:
Computer Configuration»Policies»Windows Settings»Security Settings»Advanced Audit Policy Configuration»Audit Policies
Under the Audit Policies, select both the Success and Failure checkboxes to configure the following events. Then, click. OK
- Account Logon
  - Audit Kerberos Authentication Service
- Logon/Logoff
  - Audit Logon
  - Audit Logoff
  - Audit Other Logon/Logoff Events

Note: You can also apply the above configurations to the Default Domain Policy to implement them across the entire domain. However, it is recommended to create a dedicated GPO to prevent altering the Default Domain Policy settings.

This enables logon auditing for your Active Directory environment and helps you to monitor the sign-in history of AD users. Keep in mind that logon events will only start being recorded after these auditing policies are enabled.

2. What are the types of logons in Active Directory?

Logon types represent the method or context in which a user gains access to resources in Active Directory. These types are defined based on the nature of the interaction with the system.

Below are common Active Directory sign-in types and their numeric identifiers for logon types reported in the security event log.

Interactive Logon (2): This occurs when a user directly logs into a machine, such as a workstation or server, using their credentials. Here, authentication is handled locally or via a domain controller.
Network Logon (3): This type of logon occurs when a user or computer accesses resources, like shared files or printers, over the network.
Batch Logon (4): Executes automated tasks (e.g., scheduled tasks or scripts) under specific credentials, without manual intervention.
Service Logon (5): This type of logon is initiated by the Service Control Manager to allow services to authenticate and access resources securely while running in the background under a designated account.
Unlock Logon (7): Triggered when a user unlocks a computer. It re-authenticates the user without starting a new session.
Network Cleartext Logon (8): This logon type is similar to a network logon (Type 3), but the password is transmitted in cleartext (unhashed). It is then passed to the authentication system on the remote system in its hashed form.
New Credentials Logon (9): This occurs when a process runs under different credentials than the logged-in user, such as when using the RunAs command.
Remote Interactive Logon (10): A logon type for remote desktop sessions via RDP (Remote Desktop Protocol). This is similar to interactive logon but performed remotely.
Cached Interactive Logon (11): Allows login using cached credentials when a domain controller is unavailable or in offline scenarios.

Discover every logon type in your Active Directory with AdminDroid!

Using the Logon Type filter available in the AdminDroid’s All Account Logons report, you can easily identify specific logon types, including remote logins, interactive logons, network logons, and more.
This enables seamless tracking and analysis of all logon types, ensuring enhanced monitoring of your Active Directory.

3. How to find the source of failed logon attempts in Active Directory?

Understanding why the user login failed and where it failed is crucial to maintaining a secure and well-monitored Active Directory environment. Here’s why identifying the source of failed logon attempts, such as the computer name, IP address, and port is important:

Detect Security Breaches: Identifying the IP address behind failed attempts helps uncover unauthorized access or brute force attacks.
Spot Insider Threats: Checking failed login attempts in Active Directory can reveal suspicious activity, like logons outside business hours, which may indicate potential insider threats.

Here’s how to find the details of the resource where the logon attempt failed in Active Directory:

Find the source of failed logons in Active Directory

Open Event Viewer by navigating to Server Manager»Tools.
Go to Windows Logs»Security» Filter Current Log (from Actions pane).
Enter 4625 as the Event ID to view only failed logon attempts.
Click on each event to review details like the source network address, port, computer name, logon type, and more.

While these native methods provide the necessary details, manual investigation is needed for each event. This can be time-consuming and tedious, especially in environments with numerous failed attempts. Additionally, the need to review the events recorded by each domain controller and computer to fully understand the situation adds further complexity to the challenge.

Say goodbye to manual investigations! With AdminDroid, you can effortlessly identify the source of user’s failed logon events.

The Failed Logon report in AdminDroid captures failed logon attempts from multiple domain controllers, with details such as the computer name, network address, port, logon type, etc.
By providing granular details, this report allows admins to pinpoint failed logons from risky devices or networks and take immediate action.

Handy hint: Use the email option (📧) in the top-right corner to effortlessly share failed logon reports to the desired mailbox in your preferred format.

4. How to restrict user logons to specific computers in Active Directory?

In organizations where sensitive data and systems need to be protected, it is crucial to ensure that users can only log on to authorized devices. Limiting user logon access to specific computers in Active Directory is essential for minimizing the risk of unauthorized access, especially from unmanaged or compromised devices. This restriction also helps meet compliance requirements by controlling which devices users can access corporate resources.

Limit user logons to specific computers in Active Directory

Open the AUDC snap-in and locate the user account you want to modify. Right-click the account and select Properties.
In the Properties window, go to the Account tab and click the Log On To option.
In the Logon Workstations dialog box, select The following computers under The user can log into section.
Specify the SAM account name in the Computer name field and click Add.
After adding the computer names, click OK to close the window, then click OK again to save the configuration.

5. How to restrict logon hours for a user in Active Directory?

In addition to restricting logons to specific computers, limiting logon hours in Active Directory enhances security and supports productivity. For example, limiting access to business hours can prevent unauthorized logins during outside working hours, reducing the risk of insider threats or after-hours breaches.

Set logon hours for a user in Active Directory

Open the Active Directory Users and Computers console.
Go to the organizational unit (OU) containing the user, right-click on the respective user account, and select Properties.
In the Properties window, go to the Account tab and click Logon Hours.
Use the grid to specify the allowed logon hours by selecting specific times and days.You can achieve this by using the Logon Hours Logon Permitted and Logon Denied radio buttons to allow or restrict the logon during the desired periods of the week.
Click OK to save the settings and then click OK again in the Properties window.

Setting logon hours is important for security, but configuring them across time zones for all users can be complex. The process of reviewing and updating logon hours is time-consuming and can be difficult to navigate.

Easily monitor user logon restrictions with AdminDroid and stay in control!

With the user logon restrictions report, AdminDroid summarizes limitations on logon workstations and logon hours.
You can export detailed insights into Active Directory user logon restrictions, such as user display name, SAM account name, account status, user logon hours, etc., using this report.

6. How to find a user's last logon time in Active Directory

Tracking a user's last login time in Active Directory is essential for maintaining security and managing accounts effectively. Knowing the last legitimate logon helps investigators identify the attack's starting point and expedite the investigation. This enables swift corrective actions, such as disabling compromised accounts or isolating affected systems, to minimize damage.

Additionally, it allows admins to find inactive user accounts by calculating the inactivity period based on the last login time. This makes it easier to clean up unused accounts and enhance overall security.

Check users' last logon time using Active Directory Users and Computers console

Go to Server Manager»Tools»Active Directory Users and Computers.
Navigate to the desired Organizational Unit (OU) and locate the user account you want to check.
Right-click on the user account and select Properties.
Switch to the Attribute Editor tab, scroll down to the LastLogon attribute to view the date and time of the user’s last sign-in.

Detect AD user's last login time using PowerShell

Navigating through multiple tabs and sections can be time-consuming and cumbersome. PowerShell simplifies this process with straightforward cmdlet.

Just replace <UserName> with the desired user's name in the snippet below to quickly fetch their last logon time in seconds.
```
[DateTime]::FromFileTime((Get-ADUser -Identity <UserName> -Properties LastLogon).LastLogon)
```

Execute the following PowerShell cmdlet to retrieve the last sign-in time for all users in Active Directory.

Get-ADUser -Filter * -Properties LastLogon | Select-Object Name,SAMAccountName,@{Name= "LastLogon";Expression={[DateTime]::FromFileTime($_.LastLogon)}}