Microsoft Active Directory stores user logon history data in the event logs on domain controllers. Starting from Windows Server 2008 and up to Windows Server 2016, the event ID for a user logon event is 4624. These events contain data about the user, time, computer and type of user logon. Using the PowerShell script provided above, you can get a user login history report without having to manually crawl through the event logs.

Script

Open the PowerShell ISE → Run the following script, adjusting the timeframe:

# Find DC list from Active Directory

$DCs = Get-ADDomainController -Filter *

# Define time for report (default is 1 day)

$startDate = (get-date).AddDays(-1)

# Store successful logon events from security logs with the specified dates and workstation/IP in an array

foreach ($DC in $DCs){

$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

#

Crawl through events; print all logon history with type, date/time,

status, account name, computer and IP address if user logged on remotely

foreach ($e in $slogonevents){

# Logon Successful Events

# Local (Logon Type 2)

if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){

write-host

"Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser:

"$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]

}

# Remote (Logon Type 10)

if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){

write-host

"Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser:

"$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]

"`tIP Address: "$e.ReplacementStrings[18]

}}

How to Get Active Directory User Login History using PowerShell

Script

Review the results:

Related Posts

What is DORA Compliance? Purpose, Requirements and Checklist

How to Track Who Сreated a User Account in Active Directory

How to Track Who Changed the File/Folder Owner

How to Track Who Deleted a File from Your File Server