Domain Admins last logon time audit report

I need a report showing the last logon time for all members of the Domain Admins account group.  Ideally it would also include account status info (disabled/enabled, expired date..).  

This shouldn't be difficult but after spending 5 hours playing with ADUC saved queries and SCOM ACS (which we have fully functional), I'm pulling my hair out.  Any advise at how to get at this data easily and repeatedly?

Who is Participating?
Mike KlineConnect With a Mentor Commented:
Give adfind a shot by top MVP Joe Richards
adfind -default -f "&(objectcategory=person)(objectclass=user)(memberof=DN of your domain admin group)" samaccountname lastlogontimestamp -tdc -csv  > c:\AdminsLastLogon.csv
That will give you a csv file on your C drive with the lastlogon info for your domain admins.  Your domain has to be at W2K3 functional level for lastlogontimestamp to work.
If you need to quickly find the DN of your domain admin group use
adfind -sc g: "domain admins" dn
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
In this case you can use the 3rd party software Check this software..!

Change auditor is the software useing in our org.
It is good and powerful sofware to track and audit the changes in Active directory
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
This software is also used in many other purpose in AD
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Premkumar YogeswaranAnalyst II - System AdministratorCommented:
we are using dumpsec  it is free  and very easy  to handle
you can find it here :
tc100yearsAuthor Commented:
How do I limit the DumpSec to just the Domain Admins group?  
I did not see any filtering option, but if you select group on the available fields , you can import as csv  file open on excel and filtering as you want
Use this script as a logon script. It will record all admin activity henceforth.

Change the UNC path\
You will get the From machine and user name and To machine also...

strLogFile = "\\sm\logs\DomainAdminLogonActivity.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForAppending = 8
Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
If LCase(objNetwork.UserName) = "administrator" Then
	Set objFile = objFSO.OpenTextFile(strLogFile, intForAppending, True)
	If Left(UCase(objShell.ExpandEnvironmentStrings("%SESSIONNAME%")), 3) = "RDP" Then
		objFile.WriteLine Now & vbTab & objShell.ExpandEnvironmentStrings("%CLIENTNAME%") & " accessed " & objNetwork.ComputerName & vbTab & objNetwork.UserName & vbTab & GetConsoleUser(objShell.ExpandEnvironmentStrings("%CLIENTNAME%"))
		objFile.WriteLine Now & vbTab & objNetwork.ComputerName & vbTab & objNetwork.UserName
	End If
End If
Function GetConsoleUser(strComputer)
	' Returns name of user logged on to console 
	' If no users are logged on, returns "" 
	On Error Resume Next
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
	Set colProc = objWMIService.ExecQuery("Select Name from Win32_Process Where Name='explorer.exe'") 
	strConsoleUser = ""
	For Each objProcess In colProc 
		lngReturn = objProcess.GetOwner(strUser, strDomain) 
		If lngReturn = 0 Then 
			strConsoleUser = strUser
		End If
	If Err.Number <> 0 Then strConsoleUser = "<ERROR>"
	On Error GoTo 0
	GetConsoleUser = strConsoleUser
End Function

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.