Active Directory last logon report

Posted by AlbusBit on April 07, 2017 · 5 min read

How does it work?

To create a last logon report you need to inspect Active Directory user objects. User objects have the attribute ‘lastLogon’ – the last time the user logged on. Its value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). For example, a ‘lastLogon’ attribute value of 131358722699872122 converts to 4/5/2017 6:24:29 AM PDT.

Last Logon Format

Last Logon Format

Attribute ‘lastLogon’ is not replicated to other domain controllers, so you need to get this attribute value from all domain controllers, compare them and choose the latest value.

There is attribute ‘lastLogonTimestamp’ which is replicated, but it does not contain the precise value of the actual last logon time. ‘lastLogonTimestamp’ gets updated only if its current value is approximately 14 days older than current logon time. You can find the actual algorithm and more information in this article.

How do I create a precise last logon report?

For all users in domain

  1. Open AD FastReporter.
  2. From Users tab, select ‘All users’ report form.
  3. From the available fields list, select field ‘Last Logon Time’ and add it to the selected fields list.

    Fields

    Fields

  4. If necessary, remove unnecessary fields from the selected fields list.
  5. Press generate and wait for results.
  6. If a particular domain controller is unreachable, then there will be a warning message.

    Generation Completed

    Generation Completed

  7. Press ‘Show report in table view’. You can examine the report and, if necessary, export to a CSV, Excel (XLSX) or HTML format file.

    Report Results

    Report Results

For specific user

  1. Open AD FastReporter.
  2. Select ‘Reports’ -> ‘New Report Form’.

    New Report Form

    New Report Form

  3. Enter report form name and select Type ‘Users’.

    Report Form

    Report Form

  4. Press ‘Edit’ to create a custom filter. Choose the field that you want to filter and the filter operation and filter value. In this example, we will use the field ‘First Name’, filter operation – ‘equals’, and filter value – ‘Adam’.

    Filter Manager

    Filter Manager

  5. Save changes in the filter manager and save this report form. Now you can use the form to create the last logon report for the specific user.
  6. Follow the instructions starting from the 3. point in ‘For all users in the domain’ instruction.

For specific organizational unit

  1. Open AD FastReporter.
  2. Open Connection manager, select your current connection and press ‘Edit’.

    Filter OU

    Filter OU

  3. At the bottom, you will see ‘OU’ where you can specify which container to use in this connection. You can press the browse button and choose the container or enter the full name of the container you want.
  4. Press save when you have finished and all the reports will now be created using data from this container only.
  5. Follow instructions starting from the 2. point in ‘For all users in domain’ instruction.

If you need to create multiple reports from one domain, but from different containers, then you can create multiple connections.

 




Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA