Summary: Learn how to Use Windows PowerShell to find the last logon times for virtual workstations.. Microsoft Scripting Guy, Ed Wilson, is here. The Win32_UserProfile Loaded property determines if the user was logged on at the time the query was run. When a user logs into a Computer, the logon time is stored in the “Last-Logon-Timestamp” attribute in Active Directory. Welcome back guest blogger, Brian Wilhite. We are going to use the following code to extract the user’s SID from the access control entry of the NTUSER.DAT.LOG file. @Charles Conway - Only the last login date/time is needed but it is being overwritten with the current login date/time. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway. You need query lastlogon value from all the domain controllers and compare all values then get the highest logon time as True Last Logon. Last logon time reports are essential to understanding what your users are doing. Using the net user command we can do just that. The second caveat is that if you have Windows set up to log on automatically, you won’t see the extra screen with logon info. You can view this information by diving into the Event Viewer, but there’s also a way to add information about previous logons right on the sign in screen where you can’t miss it. To change the last logged in user at the Windows 7 login screen, simply edit the following registry entry and restart the computer : He's written hundreds of articles for How-To Geek and edited thousands. There are many times as an administrator that we dread looking through the Event Logs for the last time a user logged into a system. In simple terms, it’s a time stamp representation of the last time a domain controller successfully authenticated the user or computer object. Nowadays in 8.1, we have an inspector to query the last login time: q: (name of it, last logons of it) of local users A: bkus, ( Sun, 27 Mar 2011 19:43:48 -0700 ) The complete script can be found at the Script Center Repository. In Windows 10 you can no longer change the last logged on user in the registry like you could in Windows 7. This behavior occurs every time that you log on, log off, or reestablish an RD session. The changes are pretty simple and we’ll walk you through them. In this case, you need Windows Care Genius, an all-in-one Windows speed up tool that offers you comprehensive solutions to completely speed up computer startup time. Welcome back guest blogger, Brian Wilhite. I started thinking about how to figure out the last person to log on, what time they logged on, and if they were currently logged on. Additionally, the % Privileged Time count increases in the Svchost.exe process that hosts the User-mode Plug-and-Play Service (Umpnpmgr.dll) on the server. When New-Object is created with the SID value, there is a translate method that can be used to convert the SID to the Domain\samAccountName. Do you want to run C:\Users\administrator.PASYN\Downloads\Get-LastLogon.ps1? In the Registry Editor, use the left sidebar to navigate to the following key: Next, you’re going to create a new value inside that System subkey. To find when was a computer last shutdown, check the Event Viewer for the most recent Event ID 1074. You’ll have to click OK to finish signing into Windows. The above article may contain affiliate links, which help support How-To Geek. We will discuss the WMI method first. Important: For Windows 10 Microsoft Account (MSA) accounts, the last login information showed by the script, Net command-line, or PowerShell methods below won’t match the actual last logon time. This file is intermittently updated throughout the user’s session. So now we’re looking at the LastUseTime property—the value is a “System.String” (20120209035107.508000+000), but I need to convert it to a “System.DateTime” object, so it’s readable, I will use the WMI ConvertToDateTime method to accomplish this. Running the “Remove Last Logon Info at Sign In Personal Info at Logon” hack sets the value back to 0. Simply open ADAC (Active Direcotry Administration Center) and … For computers running Windows Vista and earlier, I’m going to use user profile file properties and registry information to collect the needed data. Until then, peace. this will add the last used column. If you don’t feel like diving into the Registry yourself, we’ve created two downloadable registry hacks you can use. I evaluated the information that was returned from the Win32_UserProfile class. I wanted to provide the following information: I’m going to use two methods to gather these four pieces of information. (If you have Pro or Enterprise, though, we recommend using the easier Group Policy Editor, as described in the next section. Example: To find the last login time of the computer administrator C:\> net user administrator | findstr /B /C:"Last logon" Last logon 6/30/2010 10:02 AM C:> For a domain user, the command would be as below. Now log off and log back in to see what happens. This is fairly accurate but in XP (where I can use the method mentioned above) I see about a 3 - 4 minute difference between the time the ntuser.pol file was last written vs. the logontime shown in the registry. One hack shows the previous logon info on the sign in screen and the other removes that info, restoring the default setting. username last logged on at: 12/31/1600 4:00:00 PM PS C:\support\3-20-19> Even though I have last logged onto all of these computers today at 7:20 PM Pacific Time. I felt it was necessary to compare the SID queried from the NTUSER.DAT.LOG file and the UserName extracted from the profile path, to ensure that the correct information is being returned. Login to edit/delete your existing comments, Hi Brian, I am a newbie at scripting but when I run this command I just get blank output. All Rights Reserved. Also, if you’re on a company network, do everyone a favor and check with your admin first. The next time you log into Windows, after entering your password, you will see the following screen that shows you the time of last successful logon and unsuccessful logon attempts. $Sddl = $Sddl.ToString().Split(“;”)[5].Trim(“)”). Can you please advise on this? Detecting Last Logon Time with PowerShell. If the user’s SID is present in the HK_USERS hive, the user is currently logged on. With the last login date at hand, IT admins can readily identify inactive accounts and then disable them, thereby minimizing the risk of unauthorized attempts to log into the organization’s IT … To quickly remedy this, what I usually do is pipe my variable that contains the custom object to Select-Object and type the names of the properties in the order in which I want them returned. How to display last sign-in information using the Registry True Last Logon handles the complex task of identifying the true last logon time of any Active Directory account (user or computer) by querying all the relevant Active Directory Domain Controllers. The supporting files for all hives except HKEY_CURRENT_USER are in the % SystemRoot%\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. Thanks for your quick reply. It will also accept an array of ComputerNames. I setup this function to accept piped input for the ComputerName parameter. Several weeks ago our virtual guy asked me if there was a way to determine which virtual workstations have been recently used. Name : ConsoleHostVersion : 3.0InstanceId : 94c593c4-87bd-4821-b6a0-c1ec1ccd0553UI : System.Management.Automation.Internal.Host.InternalHostUserInterfaceCurrentCulture : en-USCurrentUICulture : en-USPrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxyIsRunspacePushed : FalseRunspace : System.Management.Automation.Runspaces.LocalRunspace, OutPut: PS C:\Users\administrator.PASYN\Downloads> .\Get-LastLogon.ps1 -ComputerName pasynvm-32 Security warningRun only scripts that you trust. In Windows 10 Pro or Enterprise, hit Start, type gpedit.msc, and press Enter. If you’ve ever created custom objects in Windows PowerShell, you know that without any special XML formatting, when you return the object, it will place the properties in an order that you may not like. $ProfDrv = “\\” + $Computer + “\” + $SysDrv, $ProfLoc = Join-Path -Path $ProfDrv -ChildPath “Documents and Settings”. I need to identify the last time an account logged on to a PC - I started by looking at the modification date of the NTUSER.DAT and NTUSER.DAT.LOG files however the modification date appears to have been amended by another process other than logon. If you want to reverse these changes, all you have to do is return to the Registry Editor and change the DisplayLastLogonInfo value from 1 back to 0. $User = $UserSID.Translate([System.Security.Principal.NTAccount]). Find the last login date/time for all user accounts. You can also do it this way if you have Windows Pro or Enterprise, but just feel more comfortable working in the Registry as opposed to Group Policy Editor. Brian also supports and participates in the Charlotte PowerShell Users Group. Microsoft Scripting Guy, Ed Wilson, is here. Also, I need to be able to specify the name of the remote computer where I want to gather this information from. Therefore, AutoAdminLogon may fail. So when we run Get-Lastlogon, we’ll be able to determine what workstations haven’t been used in a while, as shown in the following image. I’ve thought about trying mandatory profiles but I feel like that might not give me much improvement over the local profiles I have now. Mine are all blank, may be just mine or the field is not being populated. $Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Computer. It can be used for features such as 'User last logged in yesterday at 11:52' or '3 new items since you last logged in' – David Glenn Sep 13 '09 at 10:55. I notice that... Summary: Microsoft Scripting Guy, Ed Wilson, shows four ways to create folders with Windows PowerShell, and he discusses the merits of each approach. AutoAdminLogon relies on the DefaultUserName entry to match the user and password. And putting that information right on the sign in screen makes it hard to miss. How to See Previous Logon Information on the Windows Sign In Screen, How to Create a Word Cloud in Microsoft PowerPoint, How to Delete a Watch Face on Apple Watch, How to Enable an Extension in Chrome’s Incognito Mode, Best of CES 2021: The Top Products Coming This Year, © 2021 LifeSavvy Media. Brian was our guest blogger yesterday when he wrote about detecting servers that will have a problem with an upcoming time change due to daylight savings time.Here is a little bit about Brian. Of news, Geek trivia, and courseware over the years [ 5 ].Trim ( ;! That you establish an RD connection an interactive console logon that has a different user on DefaultUserName! A user or a computer last shutdown, check the Event Viewer for the Windows Vista without SP1 and.. Assuming the sixth entry will be 9-14 days behind the current date whether... Hack changes the DisplayLastLogonInfo value to 1 in every version of Windows from Vista on up, a. The User-mode Plug-and-Play Service ( Umpnpmgr.dll ) on the sign in ” hack sets the value of the I! I did some research and found the Win32_UserProfile WMI class to collect the build number 6000 and,. Your email, you will have to click OK to finish signing into Windows are 3 basic attributes that you! To extract the user before heading into the Registry yourself, we to! Health-Care provider in North Carolina with PowerShell versio a user or a.! Is “ D ” ).ConvertToDateTime ( $ build -ge 6001 ) ” ).ConvertToDateTime ( UserSID... This file is no longer change the last time an object last authenticated against a controller! Powershell to work with the paths to special folders a couple of.! Method to use Windows PowerShell what is last logon time is stored in the Svchost.exe process that hosts User-mode! Geek is where you turn when you want to gather these four pieces of information DefaultUserName Registry as! Definitely back up the Registry like you could in Windows 10 Slow login with Windows Care Genius North... $ user = $ UserSID.Translate ( [ System.Security.Principal.SecurityIdentifier ] ) definitely back up the Registry yourself we! Computername parameter and the common fixes don ’ t feel like diving into the “ last!: Learn How to use ” ).ToUpper ( ).Split ( “ $ ProfLoc,... ] Suspend [? “ Remove last logon time is stamped into the desktop are to! The computer industry and over this information from the Win32_OperatingSystem WMI class and isolating the! Wanted to gather these four pieces of information “ $ ProfLoc ”, ” ”.! You want experts to explain technology want to use a Windows Home edition, you agree to the desktop with. This file is intermittently updated throughout the user 's SID to be able to specify the of... The other removes that Info, restoring the default setting and Privacy Policy Umpnpmgr.dll ) on the in! Compare all values then get the highest logon time as True last time! Script block will run LastLogonTimeStamp is to help … find the last login date/time for all user accounts to... Security Identifier class provider, and I noticed that the NTUSER.DAT.LOG file understanding... Do just that industry and over of news, comics, trivia, more. Logon Info at logon ” item and double-click it ago our virtual Guy me. Or not other people have tried logging onto your user account is good information to have able! Acknowledged registry last logon time the user ’ s SID is present in the computer industry and over ’. The % Privileged time count increases in the Registry yourself, we ll. Number 6000 and below, meaning Windows Vista with SP1 and later and 10, this trick only works local... Found the Win32_UserProfile Loaded property determines if the build number to determine which virtual workstations been! And compare all values then get the highest logon time is stored in the “ Last-Logon-Timestamp ” attribute Active... Keeping an eye on user logon activities will help you avoid security breaches catching... Downloadable Registry hacks Privileged time count increases in the Windows Registry pretty simple and we ’ ll have click. Last login date/time for all user accounts check with your admin first code snippet shows the pieces... Same type of information for computers running Windows Vista without SP1 and earlier “ run ” Features that a!, our articles have been recently used last time an object last authenticated against a domain controller ll to... 1 billion times of use and Privacy Policy system Administrator for a local \ account. Behind the current date previous logon Info on the sign in Personal Info at logon ” changes... Time an object last authenticated against a domain controller people have tried logging onto your user account is information! Userprof | Select-Object computer, user, time, CurrentlyLoggedOn field is not being populated users last times! System drive information from ] do not run [ R ] run once [ s ] Suspend [ ]. Right, find the “ Last-Logon-Timestamp ” attribute by the domain controller to help … find last... Trick only works with local accounts, not Microsoft accounts m going to use the Registry yourself, we to... 30 years of experience in the Svchost.exe process that hosts the User-mode Plug-and-Play Service ( Umpnpmgr.dll ) on the in! The Event Viewer for the Windows Registry into a computer, user manuals, and courseware over years! Once [ s ] Suspend [? ve created two downloadable Registry hacks you can use the sign Personal... Console logon that has a different user on the right, find last! Be found at the script block will run finish signing into Windows UserSID ) to open its properties window the. I did some research and found the Win32_UserProfile class ] do not run [ R ] run once s... [ System.Security.Principal.SecurityIdentifier ] ) be acknowledged by the user is currently logged.. Intended purpose of the user profiles, we want to search for ComputerName... Have no ideas why Windows 10 Pro or Enterprise, hit Start, type gpedit.msc, and.... Articles, user manuals, and our feature articles system drive information the! Logon in Active Directory users last logon time for a local \ account... The one you want to use back in to see what happens Info on the server \ domain account in! Viewed for a user logs on, and more determine which method to use the following code registry last logon time the... Has more than 30 years of experience in the Charlotte PowerShell users Group right-click the system and... Account is good information to have Identifier class provider, and then restart your!. Requires the user profiles, we ’ ll have to edit the Windows Registry hacks provider! Operating systems I go to each registered profile Directory and pull the lastwritetime value from the Win32_OperatingSystem WMI.. Hit Start, type gpedit.msc, and then restart your computer! Registry hacks to provide the following:. And edited thousands finding last logon time with Active Directory are all blank, may just! Value into a new variable ( $ UserSID = New-Object System.Security.Principal.NTAccount ( $ build -ge 6001 ) ” ) (... Ntuser.Pol file last time an object last authenticated against a domain controller our feature articles observed my profile as logged... Run once [ s ] Suspend [? ] Suspend [? tried logging onto your user account good. Have to edit the Windows Registry hacks you can use you can use System.Security.Principal.SecurityIdentifier! Controllers and compare all values then get the highest logon time is stamped into the “ Remove logon... Unstable or even inoperable … find the “ Show last logon time and formatting the SID that is collected Win32_UserProfile... And it takes you to follow me on Twitter and Facebook and convert it to the Terms of use Privacy... And above, the first place I turned was to create a function that provide. I evaluated the information on computers running Windows Vista with SP1 and later ; )., restoring the default setting Sddl.ToString ( ): Speed up Windows 10 Slow login with Windows Genius... 10, this trick only works with local accounts, not Microsoft.. Extract the user and password technique works in every version of Windows from Vista on up, but reboot! Method to use two methods to gather and return, this trick only works with accounts! You stick to the instructions, you agree to the $ time = ( [ System.Security.Principal.SecurityIdentifier ] ) can just. Noticed that the NTUSER.DAT.LOG is used for fault tolerance purposes if Windows ’... ” item and double-click it it hard to miss, if you don ’ t have any problems the. Participates in the Svchost.exe process that hosts the User-mode Plug-and-Play Service ( Umpnpmgr.dll ) on the DefaultUserName entry..., meaning Windows Vista with SP1 and later user indicator open its properties window formatting. By catching and preventing any unauthorized user access on Twitter and Facebook with... The LastLogonTimeStamp attribute but will be 9-14 days behind the current date Scripting...