Knowing when users last logged on to your domain is essential for security hygiene and license management. AD FastReporter provides built-in reports that show last logon times, inactive accounts, and logon-related attributes — without writing PowerShell scripts or querying individual domain controllers.
Active Directory stores logon information across multiple attributes, each with different replication behavior. The lastLogon attribute records the most recent logon time but is not replicated between domain controllers — meaning each DC has its own value. The lastLogonTimestamp attribute is replicated but only updated when the previous value is older than 14 days (by default), making it less precise but usable across the domain.
This distinction matters because querying a single domain controller for lastLogon gives you an incomplete picture. To get the true last logon time, you would normally need to query every DC and compare values. AD FastReporter handles this complexity for you — it reads the appropriate replicated attributes and presents the data in a human-readable date format, so you don't need to manually convert Windows file time integers or poll multiple DCs.
Regular logon reporting helps you identify accounts that are no longer in use. Stale accounts — those belonging to former employees, contractors whose engagements ended, or service accounts for decommissioned applications — represent a real security risk. If compromised, they provide an attacker with valid credentials that no one is monitoring. Compliance frameworks such as NIST 800-53, CIS Controls, and ISO 27001 all recommend periodic review and disabling of inactive accounts.
AD FastReporter includes several built-in reports specifically designed for logon analysis:
Identify active users who have logged on recently. Useful for verifying that accounts are in use and for cross-referencing with license assignments — if a user hasn't logged on in 30 days, they may not need that software license.
Find accounts that haven't been used in a defined period. These are candidates for disabling or deletion. Running this report regularly is a fundamental part of AD security hygiene.
Identify which users have a logon script assigned and which do not. Helps verify that Group Policy or legacy logon script configurations are applied consistently across your user base.
Find accounts that are currently locked out or that have had recent bad password attempts. A spike in failed logon attempts can indicate a brute-force attack or a user whose password has been changed without their knowledge.
Beyond the built-in reports, AD FastReporter lets you add logon-related fields to any user or computer report. Available logon fields include:
The last time the account authenticated, converted from Windows file time to a readable date.
The total number of successful logons recorded for the account.
The pre-Windows 2000 logon name for the account.
The path to the logon script assigned to the user, if any.
When the last failed logon attempt occurred — useful for spotting brute-force patterns.
The date and time the account was locked out, if applicable.
All date/time values are automatically converted from Active Directory's internal integer format to human-readable dates. You don't need to manually convert lastLogonTimestamp values — AD FastReporter does it for you.
The typical PowerShell approach uses Get-ADUser -Filter * -Properties lastLogonTimestamp and then pipes the results through a format expression to convert the timestamp. This works for a quick query, but falls short when you need to combine logon data with other attributes (department, manager, account status), filter by OU, or produce a formatted report for management.
AD FastReporter lets you build these multi-attribute reports visually. Select a logon report, add whatever additional fields you need, and generate. The results are displayed in a sortable grid that you can review immediately or export (Pro version) to CSV, Excel, PDF, or HTML for sharing.
Run the inactive users report monthly to find accounts that haven't logged on in 60 or 90 days. Disable them first, then delete after a grace period. This is one of the most impactful security improvements you can make with minimal effort.
Cross-reference logon data with application license assignments. Users who haven't logged on in months likely don't need Microsoft 365, VPN, or other per-user licenses. The logon report gives you the data to justify reallocation.
When investigating suspicious activity, logon data is often the starting point. The "Bad password attempts" and "Locked out users" reports help you quickly identify accounts that may be under attack.
Verify which users have logon scripts assigned and which don't. If your organization is migrating away from legacy logon scripts to Group Policy Preferences, this report shows you how far along you are.
AD FastReporter reports on logon attributes stored in Active Directory (lastLogon, lastLogonTimestamp, logonCount, etc.). It does not perform real-time logon event auditing — for that, you would need a tool that monitors Windows Security Event Log events (4624, 4625, etc.) on your domain controllers. AD FastReporter is designed for periodic reporting and analysis of the logon data that Active Directory already stores, which is sufficient for most compliance and housekeeping use cases.
Generate logon reports in clicks — free version available, no registration required.