If you're looking for the interactive logon on a given client computer, the event long on that client computer is where you need to be looking. A user who logs on with, for example, cached credentials, won't be creating entries in the event log of a domain controller. Even if you're not looking for logons with cached credentials, configuring the client computers to audit logon events and looking in the client computer's event log is going to give you the best, most accurate, and easy to locate information.


If you know the machine your user is currently logged into, try psloggedon from the Sysinternals Suite.


There is an attribute on the AD User object called Last-Logon-Timestamp. It's updated every time a user logs in, but isn't replicated more than every 14 days as it is intended to be used to search for dead accounts. It can be used as a more accurate counter if you're willing to poll each DC in the domain for this information. From that you can build a trail of when users authenticated to the domain whenever it happens, not just in the morning.


Taking the first question from your title "How to tell what time a domain user logged in" depends on what platform the user is logging into. For Windows 2000/XP/2003 event id 528 with logon type 2 will show you interactive logons from a local or domain account. LogParser is a great tool to parse the event logs from a large number of machines and supports a large number of outputs. So for example you could use the following to query the security log on a remote machine and output to a tab seperated file:

c:>logparser.exe "select TimeGenerated, SID from \\wksname\Security where EventID = 528" -i EVT -resolveSIDs:ON -q:ON -headers:off -o:TSV >> c:\UserLogons.txt

Querying events from the Security logs on Windows Vista/2008/7 is slightly different in that the log file format has changed, as well as the event ids. Event id 4624 with logon type 2 will show successful interactive logins. We can use the wevtutil to query for similar data and output it in XML format:

c:>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > c:\UserLogons.xml

As for seeing event id 540 appear in your Security event logs on your domain controller:

Event 540 gets logged for a few different reasons. So for example you could see event id 540 with logon type 3 when a shared resource is accessed by the server service. Here are the logon types for this event id provided by Microsoft:

2 Interactive A user logged on to this computer at the console.

3 Network A user or computer logged on to this computer from the network.

4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.

5 Service A service was started by the Service Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.

10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.

11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Happy hunting.