Home » HowTo » Active Directory » Learn How to Check Active Directory User Login History Via Powershell

Learn How to Check Active Directory User Login History Via Powershell

  author
Written By Mohit Jha
Anuraag Singh
Approved By Anuraag Singh  
Published On April 22nd, 2024
Reading Time 8 Minutes Reading

Every once in a while, IT admins need to check in on the user activity going on inside the Active Directory. For that, they usually start by searching “How to check active directory user login history?”. This is especially true for novice administrators who have just taken over the responsibility of managing an AD. Although the task seems simple with the availability of PowerShell scripts.

However, that’s exactly where the problems begin. The commands you find online are not verified and are designed for a foreign system. So to help you view and verify the user logon data, we have compiled the various sources within this writeup. Therefore, you no longer need to spend countless hours scouring the net. This also causes problems further down the line when admins look for answers on what is Active Directory and related questions.

Moreover, apart from the usual PowerShell code here you also get to see a professional utility in action. Let first us start by deconstructing the exact needs of an admin when they search for a query like this.

Table of Contents

Why do Admins Want to Get AD User Login History At All?

Admins like yourself may start finding user login data for one of the following reasons:

  • Comply with the industry regulations: Depending on the industry admins may have to conduct a mandatory user activity checkup. This process is part of the regulatory process and must be done at a fixed frequency.
  • Perform security check of the Active Directory: Looking at the login data of individuals admins can figure out whether or not an entry request was genuine. Moreover, if someone is trying a forced entry it is often characterized by multiple attempts from a remote location.
  • Predecessor to an employee evaluation report: Login information is an important parameter through which companies can check the productivity of their employees. Which makes it easier to help those who are falling behind their required quota.
  • Move Active Directory Objects across domains: Migrating Active Directory has become ever more common due to the increase in mergers and acquisitions. Having a list of active users helps admin fast-track this transfer which otherwise is a major project on its own.

Even though this list is not exhaustive, it covers the majority of the reasons that administrators have in their minds. So now as the reasons are out of the way let’s get straight to the PowerShell script you should use.

How to Check Active Directory User Login History Via Powershell? Explained

Before using the script, test it and apply modifications.

# Define a start date 

$startDate = (Get-Date).AddDays(-1)

# Function to get AD user login history

function Get-UserLoginHistory {

  # Parameters for username and filtering

  param(

    [Parameter(Mandatory = $false)]

    [string] $UserName,

    [Parameter(Mandatory = $false)]

    [switch] $LogonTypeLocal,

    [Parameter(Mandatory = $false)]

    [switch] $LogonTypeRemote

  )

  # Get security events for login success

  $logonEvents = Get-EventLog -LogName Security -After $startDate -EventId 4624 | Where-Object { $_.Source -eq "Security" }

  # Filter events based on username and logon type

  if ($UserName) {

    $logonEvents = $logonEvents | Where-Object { $_.Message -match $UserName }

  }

  if ($LogonTypeLocal -and !$LogonTypeRemote) {

    $logonEvents = $logonEvents | Where-Object { $_.Message -notmatch "Network" }

  } elseif (!$LogonTypeLocal -and $LogonTypeRemote) {

    $logonEvents = $logonEvents | Where-Object { $_.Message -match "Network" }

  }

  # Process each event-format output

  foreach ($event in $logonEvents) {

    $message = $event.Message -split "`n"

    $userName = $message[3].Split(":")[1].Trim()

    $computer = $message[4].Split(":")[1].Trim()

    $logonType = if ($message[8] -match "Network") { "Remote" } else { "Local" }

    $userLogin = New-Object PSObject -Property @{

      "UserName" = $userName

      "Computer" = $computer

      "LogonType" = $logonType

      "LogonTime" = $event.TimeWritten

    }

    Write-Output $userLogin

  }

}

# Get user input for filtering options

Write-Host "Enter username (optional):"

$userName = Read-Host

Write-Host "Filter by logon type:"

Write-Host "(y/n) Local logins only?"

$localLogin = Read-Host

Write-Host "(y/n) Remote logins only?"

$remoteLogin = Read-Host

# Convert user input to switch parameters

$logonTypeLocal = ($localLogin -eq "y")

$logonTypeRemote = ($remoteLogin -eq "y")

# Call the Get-UserLoginHistory function with user input

Get-UserLoginHistory -UserName $userName -LogonTypeLocal $logonTypeLocal -LogonTypeRemote $logonTypeRemote

Don’t copy-paste directly; it may not work as intended. Do the following instead.

  • Save the script as a Get-ADUserloginHistoryInteractive.ps1 file.
  • Open a PowerShell window with administrator privileges.
  • Navigate to the directory where you saved the script.
  • Run the script
  • Follow the on-screen prompts to enter a username and filter by logon type.
  • The script displays user login history based on the provided filters.

Moreover, despite the best efforts, these commands are not foolproof. Let’s see why this is the case.

Problems With PowerShell Command to Get User Login Details

Scripts tend to break down during edge cases. Like a situation where your Active Directory is brand new and thus has no users. This is a known situation; there might be other unknown cases that can cause the script to behave abruptly.

The PowerShell method may not give you the exact information you need in one try. Making it a suboptimal way of answering how to check Active Directory user login history for any admin. Moreover, you have to continuously reiterate the command structure. Taking up a lot of time and effort for even a basic task like user login information retrieval.

Most scripts, like the one presented here, are designed for a general audience. As the AD is highly customizable, it is rarely the case that you can find a solution right away.

Moreover, if you don’t possess the right skill set, these commands may do irreplaceable damage to the AD.

All in all, PowerShell commands don’t seem like the right way to attempt data accumulation in AD, especially if you have little to no knowledge. Not to worry, as we have just the right solution for you

Answer How to Check Active Directory User Login History by Skipping the PowerShell Script

The SysTools Active Directory Reporter is the best way to get a complete user login list in no time. It eliminates the need for troubleshooting complex PowerShell scripts altogether. This is done via a unique and simple-to-understand user interface. This, when combined with its fast and secure algorithms, gives administrators a considerable advantage over traditional methods.

Download Now Purchase Now

Multi-domain addition, CSV file output, and Date range filters are just some of the extra features that admins get from this utility. To use the tool flow, follow the instructions provided ahead.

Steps to Get AD User Login History in an Automated Manner

The process of using the tool is as simple as it gets.

Step 1. Open the Tool and type the default “administrator” in both the User ID and password tabs. You can reset it via the tool settings later.
Type administrator

Step 2. After activation, click on the “REGISTER DOMAIN CONTROLLER” button on the center of your screen.
Register Domain Controller button

Step 3. Fill in the Domain Friendly Name and IP address in the space provided and hit Save & Continue.
register domain controller

Step 4. Tool Automatically takes you to the Domain details page where you have to enter the Actual Admin credentials and validate them. This pushes you closer to the answer of how to check Active Directory user login history than ever before.
Save Credentials

Step 5. Click on the Report tab to open up the reporting options. Choose the one that helps you answer how to find user login history in Active Directory. That would be the Login sub-category inside the Users section.
Report tab multiple options

Step 6. The tool presents the filtering menu where the options you chose previously are pre-selected.  You can toggle the Workload and Category options and find the exact AD user data you wish to see.
User

Step 7.  Pick a specific duration there is a list of premade timelines starting from 5 days up to a year. You can select the custom option to fine-tune your results.
preset time intervals

Step 8. Click on the preview button to generate a tabular representation of user login details.
Preview

Step 9. Expand the Download Report button and select CSV.
Download CSV

Step 10. Confirm by hitting the Download option in the popup.
Download button

Step 11. A Save as screen opens from where you can select the location to put the report. Press Save.
save CSV report

Step 12. Open the CSV file on any visualizer and check the results.
View CSV

Conclusion

Here in this writeup, we have given users the answer for how to check Active Directory user login history. Moreover, we found that a viewing report for logon data can be made with and without PowerShell, it’s up to users to choose the better approach. All we can say is that from the evidence we have listed here, it is safe to say that the tool is easier and faster. It outperforms the traditional script-based approach and is recommended by experts too.

  author

By Mohit Jha

Mohit is a Microsoft Certified Expert who wears multiple hats as a writer, researcher, and editor. He's really into cyber security, cloud computing, and digital forensics. These topics get him excited and push him to go beyond just his job. His big goal is to create super well-researched and carefully written articles that help readers learn important technicalities.