Knowing when a user last logged on is one of the most common questions an Active Directory administrator has to answer. Maybe you're hunting for stale accounts to disable, investigating a security incident, validating a license cleanup, or just confirming that a user actually signed in when they said they did. Whatever the reason, Active Directory tracks this for you, but pulling the value out cleanly takes a little more nuance than most people expect.
There are two reliable ways to find a user's last logon time: the Active Directory Users and Computers (ADUC) GUI, and a quick Get-ADUser PowerShell command. We'll cover both below, then explain an important catch about how Active Directory actually records this data so you don't end up reporting the wrong date.
This is the part that trips up a lot of admins, so it's worth explaining before you run anything. Active Directory stores "last logon" information in two different attributes, and they do not behave the same way:
- lastLogon is the most accurate value, but it is not replicated between domain controllers. Each DC only records the logons it personally authenticated. If your user authenticated against DC2 but you query DC1, you'll get a stale or empty value. To get a truly accurate answer, you have to query every domain controller and take the most recent result. If you have any more than a couple of DC's, this method isn't so fun.
- lastLogonTimestamp (surfaced in PowerShell as the friendlier LastLogonDate property) is replicated across all domain controllers, so you can query any single DC and get a consistent answer. The trade-off for this is precision: by design, this attribute only updates when the new logon time is more than roughly 9 to 14 days newer than the stored value. That makes it perfect for finding stale accounts, but not for pinpointing an exact sign-in to the minute.
So, in short: use LastLogonDate for stale-account cleanup and general reporting, and use lastLogon (queried across all DCs) when you need a precise value.
If you just need to check a single user quickly, the GUI is the fastest path.
- On your domain controller, open Active Directory Users and Computers
- In the View menu, make sure Advanced Features is enabled. Without it, the Attribute Editor tab won't appear. (If you've read our guide on how to find a distinguished name, this step will look familiar.)
- Locate the user account you're interested in, right-click it, and select Properties
- In the Properties dialog, select the Attribute Editor tab
- Scroll the Attributes list to find lastLogon and lastLogonTimestamp. You can repeatedly press the "l" key to jump down the list quickly. Double-click either attribute to view the full value
Note: Both attributes will display as a large integer (a Windows file-time value) rather than a friendly date. ADUC translates lastLogonTimestamp into a readable format in the value window, but lastLogon will often show as the raw integer. If you want a clean, human-readable date without doing math, that's exactly where PowerShell shines.
For a readable date in a single command, open PowerShell on a machine with the Active Directory module installed (any domain controller, or a workstation with RSAT), and run:
1Get-ADUser -Identity jsmith -Properties LastLogonDate | Select-Object Name, LastLogonDate
Swap jsmith for the SamAccountName of the user you're checking. The LastLogonDate property is the replicated, already-formatted version of lastLogonTimestamp, so it's safe to query against any single domain controller.
Need to report on every user at once? Drop the -Identity parameter and use the -Filter parameter instead. This example lists every enabled user sorted by their last logon date, which is perfect for identifying stale accounts:
1Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate |2 Sort-Object LastLogonDate |3 Select-Object Name, SamAccountName, LastLogonDate
As mentioned earlier, when you need exact, to-the-minute accuracy (an incident investigation, for example), you have to account for the fact that lastLogon doesn't replicate. The script below queries every domain controller in the domain and returns the single most recent logon for a user:
1$user = "jsmith"2$dcs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName34$latest = $dcs | ForEach-Object {5 $value = (Get-ADUser -Identity $user -Server $_ -Properties lastLogon).lastLogon6 if ($value) { [DateTime]::FromFileTime($value) }7} | Sort-Object -Descending | Select-Object -First 189Write-Host "Most recent logon for ${user}: ${latest}"
This loops through each DC, converts the raw lastLogon file-time integer into a real DateTime with FromFileTime(), and keeps only the newest result. It's slower than a single LastLogonDate lookup, but it's the only way to get an accurate answer when precision matters.
Note: If your Get-ADUser commands fail with an error about the cmdlet not being recognized, you're missing the Active Directory module. Install RSAT (Remote Server Administration Tools) on a workstation, or run the commands directly on a domain controller where the module is already present. And if you haven't stood up your directory yet, our walkthrough on how to install Active Directory Domain Services will get you there first.
Last-logon auditing is useful, but it's reactive and manual. Huntress SIEM, available through Cosmistack, continuously aggregates, correlates, and analyzes logon and security events across your entire environment at the moment they happen, so you're not stitching together domain controller queries after the fact. It takes the dirty work out of log capture and review, surfacing suspicious authentication activity and stale-account risk automatically. As an authorized Huntress reseller, we offer Huntress SIEM at 20-30% off retail, or, small businesses can take advantage of our no minimum and no contract co-managed offering. See Huntress SIEM from Cosmistack.
Finding a user's last logon time in Active Directory is quick once you know which attribute to trust: use LastLogonDate when you want a fast and replicated answer for cleanup and reporting, and query lastLogon across all domain controllers when you need a precise timestamp. The GUI is great for one-off checks, but the Get-ADUser one-liner can scale effortlessly to your whole directory.
We hope this tutorial was helpful! For all of your IT consulting, Microsoft licensing, and cybersecurity needs, contact Cosmistack today.
