Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Checking User Logon History in Active Directory Domain with PowerShell

January 22, 2021 Active DirectoryGroup PoliciesPowerShell

Checking User Logon History in Active Directory Domain with PowerShell

There are several different tools to get information about the time of a user logon to an Active Directory domain. The time of the last successful user authentication in an AD domain may be obtained from the user lastLogon attribute it is only updated on the domain controller on which the user is authenticated) or lastLogonTimpestamp attribute (it is replicated between the DCs in a domain, but only in 14 days by default). You can check the value of the user attribute using the AD attribute editor or with the Get-ADUser PowerShell cmdlet. However, sometimes you may want to view the history of user activity (logons) in a domain for a long period of time.

You can get information about successful user logon (authentication) events from the domain controller logs. In this article we will show how to track user logon history in the domain using PowerShell. This way you can get a complete history of user activity in the domain, the time when a user starts working and logon computers.

Contents:
  • Active Directory User Logon Audit Policy
  • Getting User Last Logon History with PowerShell
  • Get Domain User Logon History Based on Kerberos Events

Active Directory User Logon Audit Policy

In order the information about successful/failed logon to be collected in the domain controller logs, enable the audit policy of user logon events.

  1. Open the domain GPO management console (GPMC.msc);
  2. Open the Default Domain Policy GPO settings and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings –> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff;
    Active Directory Audit Policy - User Logon/Logoff
  3. Enable two audit policies (Audit Logon and Audit Other Logon/Logoff Events). Select Success and Failure options in the audit policy settings to register both successful and failed logons in the Security log on the DCs and computers;
    enable user logon audit policy in active directory
  4. Save the changes in GPO and update the policy settings on your domain controllers using the following command: gpupdate /force (or wait for 90 minutes, DC replication time is not taken into account).

When a user logons to any computer in Active Directory domain, an event with the Event ID 4624 (An account was successfully logged on) appears in the log of the domain controller that has authenticated the user (Logon Server). A successfully authenticated account (Account name), a computer name (Workstation name) or an IP address (Source Network Address) of a computer used to logon are shown in the event description.

Also, you need to check the value of the Logon Type field. We are interested in the following codes:

  • Logon Type 10 – Remote Interactive logon – a logon using RDP, shadow connection or Remote Assistance (this event may appear on a domain controller if an administrator or non-admin user having RDP access permission on DC logs on). This event is used to monitor and analyze the activity of Remote Desktop Services users.
  • Logon Type 3 –  Network logon (used when a user is authenticated on a DC and connects to a shared folder, printer or IIS service)

filter DC security log by the eventid 4624: An account was successfully logged on

Also you can track a Kerberos ticket issue event when authenticating a user. The Event ID 4768 is A Kerberos authentication ticket (TGT) was requested. To do it, enable the event audit in the policy Account Logon –> Audit Kerberos Authentication Service -> Success and Failure.

Audit Kerberos Authentication Service Policy

The event 4768 also contains a name (IP address) of a computer and a user account (Account Name or User ID) that received a Kerberos ticket (has been authenticated).

Windows Event ID 4768 - A Kerberos authentication ticket was requested

Getting User Last Logon History with PowerShell

You can use the Get-Eventlog PowerShell cmdlet to get all events from the domain controller’s event logs, filter them by the EventID you want, and display information about the time when a user authenticated in the domain and a computer used to logon. Since there may be multiple domain controllers in your domain and you may want to get a user logon history from each of them, use the Get-ADDomainController cmdlet (from the AD module for Windows PowerShell). The cmdlet allows to get the list of all DCs in your domain.

The following PowerShell script allows you to get all logon events for a user to an AD domain from all domain controllers. As a result, you will get a table with the user logon history and computers a user authenticated from.

# a username, whose logon history you want to view
$checkuser='*jbrown*'
# getting information about the user logon history for the last 2 days (you can change this value)
$startDate = (get-date).AddDays(-2)
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
$logonevents = Get-Eventlog -LogName Security -InstanceID 4624 -after $startDate -ComputerName $dc.HostName
foreach ($event in $logonevents){
if (($event.ReplacementStrings[5] -notlike '*$') -and ($event.ReplacementStrings[5] -like $checkuser)) {
# Remote (Logon Type 10)
if ($event.ReplacementStrings[8] -eq 10){
write-host "Type 10: Remote Logon`tDate: "$event.TimeGenerated "`tStatus: Success`tUser: "$event.ReplacementStrings[5] "`tWorkstation: "$event.ReplacementStrings[11] "`tIP Address: "$event.ReplacementStrings[18] "`tDC Name: " $dc.Name
}
# Network(Logon Type 3)
if ($event.ReplacementStrings[8] -eq 3){
write-host "Type 3: Network Logon`tDate: "$event.TimeGenerated "`tStatus: Success`tUser: "$event.ReplacementStrings[5] "`tWorkstation: "$event.ReplacementStrings[11] "`tIP Address: "$event.ReplacementStrings[18] "`tDC Name: " $dc.Name
}
}
}
}

PowerShell Script: Get AD Users Logon History with Logged on Computers

Get Domain User Logon History Based on Kerberos Events

You can also get a user authentication history in the domain based on the event of a Kerberos ticket issue (TGT Request — EventID 4768). In this case, less events will be displayed in the output (network logons are excluded, as well as access events to the DC folders during getting GPO files or running logon scripts). The following PowerShell script will display the information about all user logons for the last 24 hours:

$alluserhistory = @()
$startDate = (get-date).AddDays(-1)
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
$logonevents = Get-Eventlog -LogName Security -InstanceID 4768 -after $startDate -ComputerName $dc.HostName
foreach ($event in $logonevents){
if ($event.ReplacementStrings[0] -notlike '*$') {
$userhistory = New-Object PSObject -Property @{
UserName = $event.ReplacementStrings[0]
IPAddress = $event.ReplacementStrings[9]
Date = $event.TimeGenerated
DC = $dc.Name
}
$alluserhistory += $userhistory
}
}
}
$alluserhistory

get all users logon history based on kerberos ticket requested eventid 4768

Note that in this case you won’t see any logon events of the users authenticated from clients or apps that use NTLM instead of Kerberos.

4 comments
2
Facebook Twitter Google + Pinterest
previous post
How to Disable/Remove Thumbs.db File on Network Folders in Windows?
next post
How to Configure and Connect an iSCSI Disk on Windows Server?

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top