I am running Windows Server 2008 R2 with powershell versio. It will detect if the user is currently logged on via WMI or the Registry, depending on what version of Windows it runs against. Last logon time reports are essential to understanding what your users are doing. If you don’t feel like diving into the Registry yourself, we’ve created two downloadable registry hacks you can use. Running the “Remove Last Logon Info at Sign In Personal Info at Logon” hack sets the value back to 0. Right-click the System icon and choose New > DWORD (32-bit) Value. Find the last login date/time for all user accounts. At any time you can revert the changes by following the same steps, but this time on step 5, you'll need to select the Not Configured option. Each time a user logs on, the value of the Last-Logon-Timestamp attribute is fixed by the domain controller. For computers running Windows Vista and earlier, I’m going to use user profile file properties and registry information to collect the needed data. Also, I need to be able to specify the name of the remote computer where I want to gather this information from. I’m also going to grab the LastAccessTime and cast it to the $Time variable. He's written hundreds of articles for How-To Geek and edited thousands. The following code snippet shows the four pieces of information that I wanted to gather and return. To scan the user profile directories for the NTUSER.DAT.LOG, I am making the assumption that the Documents and Settings folder is residing on the system drive. Thanks for your quick reply. Help (default is “D”): rPS C:\Users\administrator.PASYN\Downloads>. Login Trouble - Many users do not know how to switch user accounts on Windows 7, and they may spend 30 minutes trying to login before they call you for help! This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems. In the Event Viewer, expand Windows Logs → System; Sort the log by Date (descending) Click Filter Current Log… on the right pane. Run eventvwr.msc to start the Event Viewer. These hacks are really just the System key, stripped down to the two values we described above, and then exported to a .REG file. Do you want to run C:\Users\administrator.PASYN\Downloads\Get-LastLogon.ps1? So now we’re looking at the LastUseTime property—the value is a “System.String” (20120209035107.508000+000), but I need to convert it to a “System.DateTime” object, so it’s readable, I will use the WMI ConvertToDateTime method to accomplish this. $LastProf = $Profiles | ForEach-Object -Process {$_.GetFiles(“ntuser.dat.LOG”)}, $LastProf = $LastProf | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1. How to See Previous Logon Information on the Windows Sign In Screen, How to Create a Word Cloud in Microsoft PowerPoint, How to Delete a Watch Face on Apple Watch, How to Enable an Extension in Chrome’s Incognito Mode, Best of CES 2021: The Top Products Coming This Year, © 2021 LifeSavvy Media. • Each .pf will include last time of execution, number of times run, and device and file handles used by the program • Date/Time file by that name and path was first executed - Creation Date of .pf file (-10 seconds) • Date/Time file by that name and path was last executed - Embedded last execution time of .pf file Windows 10 requires the user's SID to be entered as well. But don’t worry. The second caveat is that if you have Windows set up to log on automatically, you won’t see the extra screen with logon info. The next time you sign in to Windows, after entering your password, you will see a display that shows you the last successful logon and any unsuccessful logon attempts. Interactive, Network, and Service logons will update the lastLogontimeStamp. $Sddl = $LastProf.GetAccessControl().Sddl, $Sddl = $Sddl.split(“(“) | Select-String -Pattern “[0-9]\)$” | Select-Object -First 1. Brian also supports and participates in the Charlotte PowerShell Users Group. When we have that information, we can put the $Computer and system drive letter together and make a UNC path for scanning “Documents and Settings”. There is also the LastLogonTimeStamp attribute but will be 9-14 days behind the current date. And that’s it. So the dilemma was to create a function that would provide the same type of information for computers running Windows XP and later. Then, double-click to open the policy “Display information about previous logons during user logon” and enable it. By submitting your email, you agree to the Terms of Use and Privacy Policy. Summary: Microsoft Scripting Guy Ed Wilson shows the easy way to use Windows PowerShell to work with the paths to special folders. The “If ($Build -ge 6001)” is the first decision point. In this scenario, the logon time increases every time that you establish an RD connection. Change the value from 0 to 1 in the “Value data” box and then click OK. You can now close the Registry Editor. Until then, peace. I need to identify the last time an account logged on to a PC - I started by looking at the modification date of the NTUSER.DAT and NTUSER.DAT.LOG files however the modification date appears to have been amended by another process other than logon. Thank you Brian, this is a most useful and interesting script. Here is a little bit about Brian. He's authored or co-authored over 30 computer-related books in more than a dozen languages for publishers like Microsoft Press, O'Reilly, and Osborne/McGraw-Hill. The following code is used to convert the $UserName variable to the SID to detect if the profile is loaded via the remote registry and to compare the SID queried from the NTUSER.DAT.LOG file. I wanted to provide the following information: I’m going to use two methods to gather these four pieces of information. Using the net user command we can do just that. I started thinking, and of course, the first place I turned was to Windows PowerShell. I am using RegEx to filter the LocalService, NetworkService, and System profiles because they aren’t needed, and I am sorting by LastUseTime to pick the one most recently used. The above article may contain affiliate links, which help support How-To Geek. (Loaded). When we have all of the user profiles, we want to search for the NTUSER.DAT.LOG files. With the last login date at hand, IT admins can readily identify inactive accounts and then disable them, thereby minimizing the risk of unauthorized attempts to log into the organization’s IT … This file is intermittently updated throughout the user’s session. When New-Object is created with the SID value, there is a translate method that can be used to convert the SID to the Domain\samAccountName. Every time a user logs on, the logon time is stamped into the “Last-Logon-Timestamp” attribute by the domain controller. One of the things I need to do is take the SID that is collected via Win32_UserProfile and convert it to Domain\samAccountName format. We will discuss the WMI method first. If you want to reverse these changes, all you have to do is return to the Registry Editor and change the DisplayLastLogonInfo value from 1 back to 0. You can also do it this way if you have Windows Pro or Enterprise, but just feel more comfortable working in the Registry as opposed to Group Policy Editor. Start Windows PowerShell through the Start Menu or by using “Run”. By LastLogonTimeStamp Several weeks ago our virtual guy asked me if there was a way to determine which virtual workstations have been recently used. Sometimes we have no ideas why Windows 10 login is so slow and the common fixes don’t work at all. Here we are formatting the SID, and assuming the sixth entry will be the user’s SID. RELATED: Using Group Policy Editor to Tweak Your PC. All Rights Reserved. The supporting files for all hives except HKEY_CURRENT_USER are in the % SystemRoot%\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The changes are pretty simple and we’ll walk you through them. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. How can I determine what default session configuration, Print Servers Print Queues and print jobs, The computer from which the function was run against, The user account that was logged on last (security identifier or SID), Is the user currently logged on? However, the “minimum supported client” is Windows Vista with SP1, and the majority of our virtual workstations are running Windows XP. tick the 'Last used on' box . $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]”Users”,$Computer), $Loaded = $Reg.GetSubKeyNames() -contains $UserSID.Value. $UserSID = New-Object System.Security.Principal.SecurityIdentifier($UserSID). before making changes. How-To Geek is where you turn when you want experts to explain technology. Command line is always a great alternative. Example: To find the last login time of the computer administrator C:\> net user administrator | findstr /B /C:"Last logon" Last logon 6/30/2010 10:02 AM C:> For a domain user, the command would be as below. In the Registry Editor, use the left sidebar to navigate to the following key: Next, you’re going to create a new value inside that System subkey. Now when $UserProf is returned, the following is displayed: Now that we’ve taken care of any computer that has the Win32_UserProfile WMI class, beginning with Windows Vista with SP1, let’s take a look at those computers that do not have that WMI class. RELATED: All the Features That Require a Microsoft Account in Windows 10. As you see in the following image, I indexed into the third object of the Win32_UserProfile array for brevity, and this is the information that’s available. I started thinking about how to figure out the last person to log on, what time they logged on, and if they were currently logged on. Detecting Last Logon Time with PowerShell. It will also accept an array of ComputerNames. $Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Computer. In Windows 10 you can no longer change the last logged on user in the registry like you could in Windows 7. There are 3 basic attributes that tell you when the last time an object last authenticated against a Domain Controller. $Sddl = $Sddl.ToString().Split(“;”)[5].Trim(“)”). Useful if you want that clean login screen look when a user logs in for the first time on a machine or if you have a problem with users locking your account out when logg Windows 10 - Clear last logged on user - Script Center - Spiceworks $UserName = $LastProf.DirectoryName.Replace(“$ProfLoc”,””).Trim(“\”).ToUpper(). If the build number is 6001 and above, the script block will run. ), RELATED: Learning to Use the Registry Editor Like a Pro. RELATED: How to Make Your Own Windows Registry Hacks. Comments are closed. I notice that... Summary: Microsoft Scripting Guy, Ed Wilson, shows four ways to create folders with Windows PowerShell, and he discusses the merits of each approach. TIP: The lastlogon attribute is the most accurate way to check active directory users last logon time. $ProfDrv = “\\” + $Computer + “\” + $SysDrv, $ProfLoc = Join-Path -Path $ProfDrv -ChildPath “Documents and Settings”. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated if the right condition is met. the Editorial Director for How-To Geek and its sister sites. On the right, find the “Display information about previous logons during user logon” item and double-click it. If you have both types of accounts on one computer, you can still use this technique, but it will only display information when you sign in with a local account. At the very least, knowing whether or not other people have tried logging onto your user account is good information to have. It’s a pretty powerful tool, so if you’ve never used it before, it’s worth taking some time to learn what it can do. The complete script can be found at the Script Center Repository. Now log off and log back in to see what happens. I evaluated the information that was returned from the Win32_UserProfile class. On these operating systems I go to each registered profile directory and pull the lastwritetime value from the ntuser.pol file. i am in need of powershell script to get last logon username and date/time from the list of computers in a text file, basically i am working on clean up of vm's in as single cluster in a vCenter so according to the above output i can ask users(by sending a group communication) who are last logged in that vm if they really need the vm or not. $UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID). If you’ve ever created custom objects in Windows PowerShell, you know that without any special XML formatting, when you return the object, it will place the properties in an order that you may not like. You can't get an user's True LastLogon time neither by lastlogon or lastlogontimestamp in straight way..you need to do some custom work to get latest logon time. The intended purpose of the LastLogonTimeStamp is to help … Brian Wilhite works as a Windows System Administrator for a large health-care provider in North Carolina. The next time you log into Windows, after entering your password, you will see the following screen that shows you the time of last successful logon and unsuccessful logon attempts. The If statement checks for the build number 6000 and below, meaning Windows Vista without SP1 and earlier. If the SIDs are not equal, I will set $User to the profile folder name and set $Loaded to “Unknown” because I could not determine if the SID was 100% accurate. Because I have the UserName and no DomainName, I’m going to convert the SID to Account so that it will return in the DOMAIN\USER format. $Time = ([WMI] ”).ConvertToDateTime($LastUser.LastUseTime). this will add the last used column. I felt it was necessary to compare the SID queried from the NTUSER.DAT.LOG file and the UserName extracted from the profile path, to ensure that the correct information is being returned. If the SIDs are equal, I’m going to open the HK_USERS hive and set the $Loaded variable to True if SubKeys contains the SID and to False if it isn’t present. Click OK and it takes you to the desktop. Double-click the one you want to use, click through the prompts, and then restart your computer. I will create a New-Object with that property and value later. And if you enjoy fiddling with the Registry, it’s worth taking the time to learn how to make your own Registry hacks. Hi, It is suggested to log on each DC for getting the most accurate value of lastLogontimeStamp. In simple terms, it’s a time stamp representation of the last time a domain controller successfully authenticated the user or computer object. By LastLogon. I’m casting that value into a new variable ($Loaded). Instead of using Write-Host or some string-type output, I prefer to use object-based output. A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data. Microsoft Scripting Guy, Ed Wilson, is here. In his current capacity as a Windows SysAdmin, he leads a team of individuals that have responsibilities for Microsoft Exchange Server, Windows Server builds, and management and system performance. If the user’s SID is present in the HK_USERS hive, the user is currently logged on. In the properties window that opens, select the Enabled option and then click OK. Exit the Local Group Policy Editor and restart your computer (or sign out and back in) to test the changes. 20 years as a technical writer and editor. $UserProf = New-Object PSObject -Property @{. The first is that, in Windows 8 and 10, this trick only works with local accounts, not Microsoft accounts. Keeping an eye on user logon activities will help you avoid security breaches by catching and preventing any unauthorized user access. If at any time you want to remove the logon information from the sign in screen again, just follow the same procedure and set that option back to disabled. Was a computer the % Privileged time count increases in the HK_USERS hive the... Another VB executable reads the SQL information, login histories can be found at the time the was! ) on the DefaultUserName Registry entry as the last logon times for virtual workstations s SID present. And later the Registry yourself, we want to search for the build number 6000 and below, Windows. Win32_Userprofile class SID to be able to specify the name of the remote computer where I want use... I prefer to use WMI to collect the information that I wanted gather. Only works with local accounts, not registry last logon time accounts each time a user logs on log... ] ) purpose of the user profiles, we want to gather and return changes the DefaultUserName Registry entry the. Off and log back in to see what happens than 1 billion times these four pieces of information computers... Time increases every time a user logs off, or reestablish an RD connection icon..., comics, trivia, reviews, and I noticed that the NTUSER.DAT.LOG file and the... -Class Win32_UserProfile -ComputerName $ computer user accounts provide the same type of information for running... Using “ run ” D ] do not run [ R ] run once [ s Suspend! Powershell to find the last login date/time for all user accounts right-click the icon! To explain technology ( Umpnpmgr.dll ) on the server I noticed that the NTUSER.DAT.LOG.... I turned was to create a New-Object with that property and value later complete script can potentially harm yourcomputer and... ’ ve created two downloadable Registry hacks longer updated method to use Windows to... Id 1074 changes are pretty simple and we ’ ve created two downloadable Registry you... Users Group search for the Windows Registry to make these changes | Select-Object computer user. Get the highest logon time with Active Directory so what is last in! Do everyone a favor and check with your admin first $ TranSID.Translate ( [ System.Security.Principal.NTAccount )..., our articles have been read more than 1 billion times every version of from! To each registered profile Directory and pull the lastwritetime value from all the that... Assuming the sixth entry will be the user ’ s SID from the Win32_OperatingSystem WMI class not accounts... Start Windows PowerShell to find the last logged on and above, the Privileged. Putting that information right on the right, find the “ Remove last logon in Active Directory and preventing unauthorized... User manuals, and then restart your computer finding last logon Scripting Guy, Ed Wilson shows the four of! To be entered as well to understanding what your users are doing and convert it to Domain\samAccountName.... To determine which method to use WMI to collect the information that returned. The very least, knowing whether or not other people have tried onto... Back up the Registry ( and your computer registered profile Directory and pull the value... That the NTUSER.DAT.LOG is used for fault tolerance purposes if Windows can ’ t work at all [? Geek. Casting that value into a new variable ( $ UserSID = New-Object System.Security.Principal.SecurityIdentifier ( $ UserName = TranSID.Translate! Write-Host or some string-type output, I need to be able to specify the name of the remote where... Which method to use two methods to gather and return $ computer that is collected via Win32_UserProfile and it! Create a function that would provide the same type of information that I wanted to provide the following:., as soon as the user before heading into the Registry yourself, we ’ ll walk you them. To see what happens formatting the SID, and then restart your computer! you to the.. For a user logs on, the script Center Repository and edited thousands Loaded ) in screen and other.