To check user login history in Windows Active Directory, you can use the Event Viewer tool to view the security logs on domain controllers. Here are the steps:
- Log on to a domain controller with administrative privileges.
- Open Event Viewer. You can do this by typing “eventvwr.msc” in the Run dialog box or the Start menu search box.
- In the Event Viewer console, navigate to Windows Logs > Security.
- Click on the “Filter Current Log” option in the right pane.
- In the “Filter Current Log” dialog box, select the following options:
- Event sources: Security
- Event IDs: 4624 (for successful logon events)
- Keywords: Audit Success
- User: Enter the username of the user whose logon history you want to check.
- Click on the “OK” button to apply the filter.
- You should see a list of logon events for the specified user in the security log. Each event will include details such as the date and time of the logon, the logon type, the logon process, the source network address, and the user account name.
Alternatively, you can use PowerShell to retrieve logon history information from the security log. Here is an example PowerShell command to retrieve logon events for a specific user:
Get-EventLog -LogName Security -InstanceId 4624 | where {$_.ReplacementStrings[5] -eq "username"} | select TimeGenerated, Message
Replace “username” with the actual username of the user whose logon history you want to check. This command retrieves all 4624 events (successful logon events) from the security log, filters them based on the specified username, and displays the time generated and message details for each event.
