Domain Admins last logon time audit report

Posted on 2009-12-21
Last Modified: 2012-06-21
I need a report showing the last logon time for all members of the Domain Admins account group.  Ideally it would also include account status info (disabled/enabled, expired date..).  

This shouldn't be difficult but after spending 5 hours playing with ADUC saved queries and SCOM ACS (which we have fully functional), I'm pulling my hair out.  Any advise at how to get at this data easily and repeatedly?

Question by:tc100years
    LVL 17

    Expert Comment

    by:Premkumar Yogeswaran
    In this case you can use the 3rd party software Check this software..!

    Change auditor is the software useing in our org.
    It is good and powerful sofware to track and audit the changes in Active directory
    LVL 17

    Expert Comment

    by:Premkumar Yogeswaran
    This software is also used in many other purpose in AD
    LVL 17

    Expert Comment

    by:Premkumar Yogeswaran
    LVL 57

    Accepted Solution

    Give adfind a shot by top MVP Joe Richards
    adfind -default -f "&(objectcategory=person)(objectclass=user)(memberof=DN of your domain admin group)" samaccountname lastlogontimestamp -tdc -csv  > c:\AdminsLastLogon.csv
    That will give you a csv file on your C drive with the lastlogon info for your domain admins.  Your domain has to be at W2K3 functional level for lastlogontimestamp to work.
    If you need to quickly find the DN of your domain admin group use
    adfind -sc g: "domain admins" dn
    LVL 7

    Expert Comment

    we are using dumpsec  it is free  and very easy  to handle
    you can find it here :

    Author Comment

    How do I limit the DumpSec to just the Domain Admins group?  
    LVL 7

    Expert Comment

    I did not see any filtering option, but if you select group on the available fields , you can import as csv  file open on excel and filtering as you want
    LVL 11

    Expert Comment

    Use this script as a logon script. It will record all admin activity henceforth.

    Change the UNC path\
    You will get the From machine and user name and To machine also...

    strLogFile = "\\sm\logs\DomainAdminLogonActivity.txt"
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Const intForAppending = 8
    Set objNetwork = CreateObject("WScript.Network")
    Set objShell = CreateObject("WScript.Shell")
    If LCase(objNetwork.UserName) = "administrator" Then
    	Set objFile = objFSO.OpenTextFile(strLogFile, intForAppending, True)
    	If Left(UCase(objShell.ExpandEnvironmentStrings("%SESSIONNAME%")), 3) = "RDP" Then
    		objFile.WriteLine Now & vbTab & objShell.ExpandEnvironmentStrings("%CLIENTNAME%") & " accessed " & objNetwork.ComputerName & vbTab & objNetwork.UserName & vbTab & GetConsoleUser(objShell.ExpandEnvironmentStrings("%CLIENTNAME%"))
    		objFile.WriteLine Now & vbTab & objNetwork.ComputerName & vbTab & objNetwork.UserName
    	End If
    End If
    Function GetConsoleUser(strComputer)
    	' Returns name of user logged on to console 
    	' If no users are logged on, returns "" 
    	On Error Resume Next
    	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    	Set colProc = objWMIService.ExecQuery("Select Name from Win32_Process Where Name='explorer.exe'") 
    	strConsoleUser = ""
    	For Each objProcess In colProc 
    		lngReturn = objProcess.GetOwner(strUser, strDomain) 
    		If lngReturn = 0 Then 
    			strConsoleUser = strUser
    		End If
    	If Err.Number <> 0 Then strConsoleUser = "<ERROR>"
    	On Error GoTo 0
    	GetConsoleUser = strConsoleUser
    End Function

    Open in new window


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now