Domain Admins last logon time audit report

Posted on 2009-12-21
Medium Priority
Last Modified: 2012-06-21
I need a report showing the last logon time for all members of the Domain Admins account group.  Ideally it would also include account status info (disabled/enabled, expired date..).  

This shouldn't be difficult but after spending 5 hours playing with ADUC saved queries and SCOM ACS (which we have fully functional), I'm pulling my hair out.  Any advise at how to get at this data easily and repeatedly?

Question by:tc100years
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26097090
In this case you can use the 3rd party software Check this software..!

Change auditor is the software useing in our org.
It is good and powerful sofware to track and audit the changes in Active directory
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26097110
This software is also used in many other purpose in AD
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26097146
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 26097175
Give adfind a shot by top MVP Joe Richards
adfind -default -f "&(objectcategory=person)(objectclass=user)(memberof=DN of your domain admin group)" samaccountname lastlogontimestamp -tdc -csv  > c:\AdminsLastLogon.csv
That will give you a csv file on your C drive with the lastlogon info for your domain admins.  Your domain has to be at W2K3 functional level for lastlogontimestamp to work.
If you need to quickly find the DN of your domain admin group use
adfind -sc g: "domain admins" dn

Expert Comment

ID: 26097988
we are using dumpsec  it is free  and very easy  to handle
you can find it here :

Author Comment

ID: 26099091
How do I limit the DumpSec to just the Domain Admins group?  

Expert Comment

ID: 26099524
I did not see any filtering option, but if you select group on the available fields , you can import as csv  file open on excel and filtering as you want
LVL 11

Expert Comment

ID: 26111596
Use this script as a logon script. It will record all admin activity henceforth.

Change the UNC path\
You will get the From machine and user name and To machine also...

strLogFile = "\\sm\logs\DomainAdminLogonActivity.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForAppending = 8
Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
If LCase(objNetwork.UserName) = "administrator" Then
	Set objFile = objFSO.OpenTextFile(strLogFile, intForAppending, True)
	If Left(UCase(objShell.ExpandEnvironmentStrings("%SESSIONNAME%")), 3) = "RDP" Then
		objFile.WriteLine Now & vbTab & objShell.ExpandEnvironmentStrings("%CLIENTNAME%") & " accessed " & objNetwork.ComputerName & vbTab & objNetwork.UserName & vbTab & GetConsoleUser(objShell.ExpandEnvironmentStrings("%CLIENTNAME%"))
		objFile.WriteLine Now & vbTab & objNetwork.ComputerName & vbTab & objNetwork.UserName
	End If
End If
Function GetConsoleUser(strComputer)
	' Returns name of user logged on to console 
	' If no users are logged on, returns "" 
	On Error Resume Next
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
	Set colProc = objWMIService.ExecQuery("Select Name from Win32_Process Where Name='explorer.exe'") 
	strConsoleUser = ""
	For Each objProcess In colProc 
		lngReturn = objProcess.GetOwner(strUser, strDomain) 
		If lngReturn = 0 Then 
			strConsoleUser = strUser
		End If
	If Err.Number <> 0 Then strConsoleUser = "<ERROR>"
	On Error GoTo 0
	GetConsoleUser = strConsoleUser
End Function

Open in new window


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question