You can check the user login history in Windows Active Directory using PowerShell by following these steps:
- Open PowerShell with administrative privileges.
- Run the following command to get the logon events for a specific user:
Get-EventLog -LogName Security -InstanceId 4624 -Newest 1000 | where {$_.ReplacementStrings[5] -like "*username*"}Replace “username” with the actual username for which you want to check the login history. The “Newest” parameter specifies the number of events to retrieve (in this case, the last 1000 events). - Press Enter to run the command.
- You will see a list of logon events for the specified user, including the date and time of the logon, the logon type, and the source IP address.
- You can also export the logon events to a CSV file by adding the following command to the end of the previous command:
| Export-Csv -Path "C:\logon_events.csv" -NoTypeInformationThis will export the logon events to a CSV file named “logon_events.csv” in the root of the C drive. You can change the file path and name as needed.
You can also set up alerts and notifications to be notified when certain users log in or if there are any login failures. AD Audit Plus provides a comprehensive and easy-to-use interface for monitoring and auditing user logins in Windows Active Directory.