KB ID 0000682 Dtd13/09/12
Active directory keeps a log of the last time a domain user has authenticated to the domain (from server 2000 onwards) , the drawback with 2000 is that this value didn’t replicate so you had to query each domain controller and cobble the results together.
After 2003 this value was replicated (after convergence,) to all domain controllers.
There are various scripts that will do this for you, but the best way of finding your users last logon time is to run ADTidy.
Run this on a domain controller and it will list your domain users, the last time they logged on, (and what DC authenticated them).
Note: If you have mobile devices (e.g. phones picking up Exchange mail) these events will be logged as well, so don’t panic if you see authentication events at odd times.
In addition this software will also let you disable/delete inactive accounts, and export the details to CSV file.
Related Articles, References, Credits, or External Links