Active Directory

How to Find Users Last Logon Computer and Time in Active Directory

When an account shows signs of suspicious activity, the first clues often come from the last logon time and the last logon computer. These two details reveal whether the account was used at unusual hours or from an unauthorized device, which helps you quickly identify the source and scope of a potential breach. This guide shows you how to find an Active Directory user's last logon time and workstation for security investigations and daily administration.

Get Active Directory User’s Last Logon Computer & Time Using Event Viewer

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

Open Server Manager and navigate to Tools»Event Viewer.
In the left pane, go to Windows Logs»Security, then select Filter Current Log from the Actions pane.
In the filter window, switch to the XML tab, select the Edit query manually check box, and click Yes when the confirmation dialog appears.

Then, paste the query shown below and replace the <UserLogonName> with the username whose last logon details you want to check. Then click OK.

<QueryList>
 <Query Id="0" Path="Security">
   <Select Path="Security">
    *[System[(EventID=4624)]] and
    *[EventData[Data[@Name='TargetUserName']='<UserLogonName>']]
   </Select>
  </Query>
</QueryList>

Now, you can see all the successful logon events for that user. Double click on the most recent event at the top to get the last logon.
From the Event Properties window, you can get the users’ last logged time and workstation name, along with other details like account name, logon type, task category, and more.

Get Active Directory User’s Last Logon Computer & Time Using Event Viewer

List All Active Directory Users' Last Logon Device & Time Using PowerShell

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

The above method works well to find the last logon computer and time for a single user. But it becomes inefficient for bulk user last logon reporting in Active Directory.
You can use the PowerShell script below to retrieve the last logon computer and time for all users in Active Directory at once.

Windows PowerShell

 Import-Module ActiveDirectory 
$Users = Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName 
$Computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name 
$Results = foreach ($User in $Users) { 
    $LatestEvent = $null 
    $LatestComputer = $null 
    foreach ($Computer in $Computers) { 
        try { 
            $Event = Get-WinEvent -ComputerName $Computer -LogName Security -MaxEvents 100 -ErrorAction Stop | 
                Where-Object { $_.Id -eq 4624 -and $_.Properties[5].Value -eq $User } | 
                Sort-Object TimeCreated -Descending | 
                Select-Object -First 1 
        } 
        catch { continue } 
        if ($Event -and (!$LatestEvent -or $Event.TimeCreated -gt $LatestEvent.TimeCreated)) { 
            $LatestEvent = $Event 
            $LatestComputer = $Computer 
        } 
    } 
    [PSCustomObject]@{ 
        UserName     = $User 
        ComputerName = if ($LatestEvent) { $LatestComputer } else { "Not Found" } 
        LastLogon    = if ($LatestEvent) { $LatestEvent.TimeCreated } else { "N/A" } 
    } 
} 
$Results | Format-Table –AutoSize

The script output includes the username, the last computer the user logged into, and the exact timestamp of that logon.

List All Active Directory Users' Last Logon Device & Time Using PowerShell

Simple & Quick
Track All AD Users Last Logon Machine & Time Using AdminDroid

AdminDroid Permission Required Delegated

Any user with audit access delegated by the Super Admin

Log in to the AdminDroid Active Directory Companion.
Navigate to the Successful User Logon Events report under AD Audit»User Logons»Successful Logons.
Here, you can review the Logon Time and Logon Machine Name columns to identify each user’s last logon device and time.
You can also view additional details such as target domain, logon type, domain name, IP address, event logged computer, and more, in this report.

Track All AD Users Last Logon Machine & Time Using AdminDroid

AdminDroid Active Directory Reporter

Monitor Users’ Last Logon Workstation & Time to Track Inactivity and Optimize Resources!

AdminDroid’s Active Directory reporting tool offers rich login reports that give an eagle-eye view of users’ last logon time and associated workstations across your entire domain. With these intuitive dashboards and actionable insights, you can effectively track users logon activity, spot unusual login patterns, and more to enhance overall Active Directory security.

Audit User Logon History for Security Insights

Review Active Directory user logon records to track login patterns across all domain-joined devices and detect unusual access attempts from restricted computers.

Analyse the Failed User Logon Events to Spot the Source Device

Monitor failed logon events and compare them with the user’s most recent successful logon to identify the workstation involved and detect suspicious activity, such as repeated login attempts from unfamiliar devices.

Find and Remove Inactive Computers in Active Directory

Identify all inactive computers in Active Directory where users haven’t logged in for a long time to remove stale machines and reduce the attack surface.

Check NTLM Logons for Unusual Legacy System Activity

Monitor New Technology LAN Manager (NTLM) logons to find the last time a user accessed a computer using the NTLM protocol, as these events can be a strong indicator of compromise.

Determine the Last Session Duration of Active Directory Users

Combine the users’ last logon computer and time reports with corresponding logoff event data to determine whether the user's most recent session on that workshop is still active.

Leverage AdminDroid’s User Dashboard for Efficient Identity Management

Use the Active Directory user dashboard to view users’ restricted logon times, authorized computers, and access permissions for efficient and secure management.

AdminDroid’s Active Directory management tool provides an all-in-one view to see the exact computer and time of a user’s last logon. With this insight, you can set up alerts for unusual activity, quickly respond to unauthorized access, and keep your systems secure and compliant.

Explore a full range of reporting options

Download Live Demo

Important tips

Enable logon auditing policy to track every user authentication requests validated by domain controllers in Active Directory.

Turn on remote management over DCOM on all Active Directory computers to capture every remote login and accurately determine each user's last logon.

Check the replication health of all domain controllers to ensure users’ last logon workstation and time are consistently replicated across the domain.

Common Errors and Resolution Steps

Having trouble tracking the last logon workstation and time for users in Active Directory? Explore these common errors and troubleshooting steps to resolve them quickly.

Error The Event Log query specified is invalid.

This error occurs when the query to retrieve users' last logon computer and time fails because the username is missing, or the query contains syntax issues like missing brackets or quotes.

Fix Verify that you have correctly entered the username, and check the query for any missing brackets, quotes, or syntax errors.

Error Get-WinEvent : The RPC server is unavailable

This error occurs when the domain controller cannot connect to the target computer to retrieve its event logs.

Fix

Verify that the computer name is correct before executing the script. If the error persists, perform the following checks:

1. Turn on Remote Event Log Management in the firewall settings to enable remote access.

2. Make sure the Remote Procedure Call (RPC) service is running on the target computer.

3. Test network connectivity using ping or check the computer DNS resolution.

Error Get-ADUser : Unable to find a default server with Active Directory Web Services running.

This error occurs when the Active Directory Web Services are stopped in your domain controller while retrieving logs.

Fix Open Services in domain controller, search for Active Directory Web Services and check its status. If it is not running, right-click the service and select Start to enable it.

Active Directory

Frequently Asked Questions

Track Unauthorized Access Incidents by Analyzing Users’ Last Logon Time and Devices!

How to find who last logged into a specific computer in Active Directory?

How to identify the current logged-on device of an Active Directory user?

How to check inactive domain controllers with users’ last logon date in Active Directory?

How to find the logon history of a user in a specific computer?

1. How to find who last logged into a specific computer in Active Directory?

Whether you're troubleshooting a hardware failure or conducting a security investigation, it is essential to identify the last user who logged into a computer. This simple check saves hours of guesswork and helps you narrow down the cause.

Find computers’ last logon user in Active Directory using Event Viewer

Open Event Viewer and go to Windows Logs»Security.
From the right panel, select Filter Current Log and switch to the XML editor.
Select Edit query manually checkbox and click Yes when the confirmation dialog appears.

Then, paste the below query after replacing <ComputerName> with the name of your target computer.

<QueryList>
 <Query Id="0" Path="Security">
  <Select Path="Security">
    *[System[(EventID=4624)]] and
    *[EventData[Data[@Name='WorkstationName']='<ComputerName>']]
   </Select>
  </Query>
</QueryList>

Click OK to apply the query. Now, you will see all the successful logons for that computer.
Double-click the latest event at the top of the list and check the Account Name field in the Event Properties window to find the last user who logged-on to that computer.

last-logon-user-in-a-computer-event-viewer

Find who last logged-on to a specific Active Directory computer using PowerShell

Finding the last user of a specific computer via Event Viewer is time-consuming, as it requires editing the query and manually checking the first entry each time. To make this process more efficient, you can quickly find the user who last logged on to a specific computer using the PowerShell script below.

$computer = "<ComputerName>"
$lastLogon = Get-WinEvent -ComputerName $computer -FilterHashtable @{
    LogName = 'Security'
    Id      = 4624
} -MaxEvents 1000 |
ForEach-Object {
    [PSCustomObject]@{
        User      = $_.Properties[5].Value
        Domain    = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value
        LogonTime = $_.TimeCreated
        Computer  = $computer
    }
} |  Sort-Object LogonTime -Descending | Select-Object -First 1
$lastLogon | Format-Table -AutoSize

Replace <TargetComputer> with the name of the computer you want to check. Once executed, the output displays the user who last logged on to the computer, along with their username, domain, and last logon timestamp.

last-logon-user-in-a-computer-in-powershell

Note: You can find the computer’s name using the following cmdlet.

Get-ADComputer –Filter * | Format-Table

2. How to identify the current logged-on device of an Active Directory user?

Imagine a scenario where a user account being used across multiple devices starts showing signs of compromise. Your first instinct might be to update the password, but that change won’t take effect on devices where the account is still signed in. Forcing an immediate logoff may seem like the next step, but doing so could interrupt important tasks running on those machines. A safer approach is to first identify exactly where the account is currently active and then decide the appropriate action based on how and where the account is being used.

You can use the PowerShell script below to list all devices where the Active Directory user has active sessions.

$Username  = Read-Host "Enter username"
$UserCheck = Get-ADUser -Identity $Username -ErrorAction Stop
$Computers = Get-ADComputer -Filter "Enabled -eq 'true'" | Select-Object -Expand Name
foreach ($Computer in $Computers) {
    if (Test-Connection $Computer -Count 1 -Quiet) {
        $procs = Get-WmiObject Win32_Process -ComputerName $Computer 
        foreach ($p in $procs) {
            $owner = $p.GetOwner()       
            if ($owner.User -eq $Username) {
                Write-Host "$Username is logged on $Computer"
                Break
            }
        }
    }
}

Enter the username of the target user once you see the prompt. This retrieves the user’s currently logged-on system in Active Directory.

3. How to check inactive domain controllers with users’ last logon date in Active Directory?

Domain controllers are the backbone of Active Directory as they handle logins, replicate data, and maintain the overall health of your environment. But when a domain controller sits unused for too long without any user activity, it becomes an easy target for attackers and increases the risk of compromise.

This is why it is important to identify unused DCs based on the users’ last logon time. With this insight, you can reduce security risks, clean up stale domain controllers, and keep your environment secure and well-maintained.

Check inactive domain controllers in Active Directory using PowerShell

You can use the PowerShell script given below to check whether users have logged in through a specific DC and pinpoint inactive domain controllers that haven't been logged in for about 90 days.

$DCs = Get-ADDomainController -Filter *
$InactiveDCs = @()
foreach ($DC in $DCs) {
    $Users = Get-ADUser -Filter { Enabled -eq $true } `
        -Properties LastLogonTimeStamp `
        -Server $DC.HostName
    $Recent = $Users | Where-Object {
        $_.LastLogonTimeStamp -ne 0 -and
        ([DateTime]::FromFileTime($_.LastLogonTimeStamp)) -gt (Get-Date).AddDays(-90)
    }
    if ($Recent.Count -eq 0) {
        $InactiveDCs += $DC.HostName
    }
}
if ($InactiveDCs.Count -gt 0) {
    "Inactive DCs with no user logons in 90 days:"
    $InactiveDCs
} else {
    "All domain controllers have recent user logons."
}

view-inactive-domain-controllers-in-powershell

Spot inactive Active Directory domain controllers in seconds with AdminDroid!

Use AdminDroid’s inactive computers report to get a complete view of devices that haven't been logged in for a while, along with details like last logon date, OS details, version, service pack, status, and more.
Select the Domain Controllers OU from the “Computer OU Name” built-in easy filter to view all inactive domain controllers in your environment.
You can also adjust the ‘Last Logon Date and Time’ field to extend the inactivity duration as needed.

get-inactive-domain-computers-in-admindroid

4. How to find the logon history of a user in a specific computer?

A user’s login history gives you a clear picture of how that account is being used. However, during any security investigations, retrieving login history on a specific computer shows logon times, flags unusual sign-ins, and helps verify whether activity aligns with expected behavior. These details are essential for confirming legitimate use and detecting potential misuse.

To get the logon history of a user on a computer, you can use the PowerShell script given below. Before executing, replace <UserName>, <ComputerName>, <StartDate>, and <EndDate> with the target user logon name, target computer, and the desired time range respectively.

$user = "<UserName>"
$computer = "<ComputerName>"
$startDate = "YYYY-MM-DD"
$endDate = "YYYY-MM-DD"
Get-WinEvent -ComputerName $computer -FilterHashtable @{
    LogName = 'Security'
    Id      = 4624, 4625, 4634, 4647, 4779
} -MaxEvents 1000 
Where-Object {
    $_.TimeCreated -ge (Get-Date $startDate) -and
    $_.TimeCreated -le (Get-Date $endDate) -and
    $_.Message -like "*$user*"
} |
Select-Object TimeCreated, Id, Message

When you run the script, it displays all logon activities performed by the target user on the selected computer, along with details such as the time created, event ID, and event description.