Categories
Planning

How to see previous logon information on the windows sign in screen

How to see previous logon information on the windows sign in screen

Windows 10 comes with a lot of security features to keep your account and data safe from prying eyes. You get features like your standard password protection, two-factor authentication when using a Microsoft account, and you can even use a PIN as a secondary method of authentication, which you can make very hard to crack, just to name a few.

However, even with all the security features that the operating system has to offer, if you’re sharing your PC or you’re in a place where other people may have physical access to your device, there is not an easy way to tell if someone gained access to your computer.

Fortunately, on Windows 10 using a local account, you can view if someone successfully signed in to your PC (and failed attempts), which can help to determine if you need to yell at someone for trying to access your PC without authorization and if you have to reinforce your device security.

In this Windows 10 guide, we’ll walk you through the steps to use the Local Group Policy Editor and the Registry to display the last sign-in information and failed attempts to your account since the last interactive logon.

How to display last sign-in information using Local Group Policy

If you’re running Windows 10 Pro, Enterprise, or Education, you can use the Local Group Policy Editor to quickly enable a policy to display the last sign-in information during logon.

To view the previous sign-in information and unsuccessful attempts, do the following:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.

Browse the following path:

Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options

On the right side, double-click the Display information about previous logons during user logon policy.

Click OK to complete the task.

At any time you can revert the changes by following the same steps, but this time on step 5, you’ll need to select the Not Configured option.

How to display last sign-in information using the Registry

In the case your computer is running Windows 10 Home, you won’t have access to the Local Group Policy Editor, but if you’re up to the challenge, you can tweak the Registry to achieve the same result.

Important: As always, this is a friendly reminder to let you know that editing the registry is risky, and it can cause irreversible damage to your installation if you don’t do it correctly. It’s recommended to make a full backup of your PC before proceeding.

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type regedit, and click OK to open the registry.

Browse the following path:

Select the System (folder) key, and right-click on the right side, select New, and click on DWORD (32-bit) Value.

Double-click the newly created DWORD and change its value from 0 to 1.

  • Close the Registry to complete the task.
  • If you’re tweaking the Registry, you can revert the changes by following the same steps, but this time on step 6 change the DWORD value from 1 to 0.

    Once you completed the steps, you can restart your computer, and when you sign back in to your local account, you’ll now see a first message about interactively signing in to your computer.

    Then during the second time and moving forward, you’ll see the previous logon information (see image above).

    Wrapping things up

    While this won’t prevent other people from trying to access your computer, now you have at least one way to review if someone broke into your local account or if anyone tried to guess your password but failed in the process.

    Keep in mind that even though we’re focusing this guide for Windows 10, displaying the previous sign-in information during logon is a feature that has been around for a long time, which means that this should also work in Windows 7 and Windows 8.1.

    More Windows 10 resources

    For more help articles, coverage, and answers on Windows 10, you can visit the following resources:

    FFXIV director Naoki Yoshida wants to work on the MMO for another 10 years

    The director and producer of Final Fantasy XIV, Naoki Yoshida, has just made a few announcements concerning future content for the Endwalker expansion and his own future involvement with the game. Read on to learn more about what Yoshida has to say.

    5 reasons why Microsoft canceling ‘Project Andromeda’ was the right choice

    Microsoft’s Project Andromeda got a full unveiling thanks to our reporting. While many fans of Microsoft lament the decision to cancel the project, there are very few reasons to believe it would have worked out. Here are five justifications for why killing the OS was a good idea.

    Join us LIVE for the Windows Central Video Podcast today at 2:30PM ET

    We’re LIVE with the Windows Central Video Podcast today at 2:30pm ET, make sure you’re there!

    Looking for great multiplayer games on PC? Check out our favorites.

    Multiplayer games are some of the best on offer for PC gamers. Here’s a look at some of the absolute best multiplayer games you can dive into on PC today.

    Walter Glenn is a former Editorial Director for How-To Geek and its sister sites. He has more than 30 years of experience in the computer industry and over 20 years as a technical writer and editor. He’s written hundreds of articles for How-To Geek and edited thousands. He’s authored or co-authored over 30 computer-related books in more than a dozen languages for publishers like Microsoft Press, O’Reilly, and Osborne/McGraw-Hill. He’s also written hundreds of white papers, articles, user manuals, and courseware over the years. Read more.

    How to see previous logon information on the windows sign in screen

    By default, most versions of Windows record an event every time a user tries to log on, whether that log on is successful or not. You can view this information by diving into the Event Viewer, but there’s also a way to add information about previous logons right on the sign in screen where you can’t miss it. To make it work, you’re going to have to dive into the Windows Registry or, if you have a Pro or Enterprise version of Windows, the Group Policy Editor. But don’t worry. The changes are pretty simple and we’ll walk you through them.

    This technique works in every version of Windows from Vista on up, but of course there are a couple of caveats. The first is that, in Windows 8 and 10, this trick only works with local accounts, not Microsoft accounts. If you have both types of accounts on one computer, you can still use this technique, but it will only display information when you sign in with a local account. The second caveat is that if you have Windows set up to log on automatically, you won’t see the extra screen with logon info.

    Home Users: Show Previous Logon Information by Editing the Registry

    If you have a Windows Home edition, you will have to edit the Windows Registry to make these changes. You can also do it this way if you have Windows Pro or Enterprise, but just feel more comfortable working in the Registry as opposed to Group Policy Editor. (If you have Pro or Enterprise, though, we recommend using the easier Group Policy Editor, as described in the next section.)

    Standard warning: Registry Editor is a powerful tool and misusing it can render your system unstable or even inoperable. This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems. That said, if you’ve never worked with it before, consider reading about how to use the Registry Editor before you get started. And definitely back up the Registry (and your computer!) before making changes.

    To get started, open the Registry Editor by hitting Start and typing “regedit.” Press Enter to open Registry Editor and give it permission to make changes to your PC.

    How to see previous logon information on the windows sign in screen

    In the Registry Editor, use the left sidebar to navigate to the following key:

    How to see previous logon information on the windows sign in screen

    Next, you’re going to create a new value inside that System subkey. Right-click the System icon and choose New > DWORD (32-bit) Value. Name the new value DisplayLastLogonInfo .

    How to see previous logon information on the windows sign in screen

    Next, double-click the new DisplayLastLogonInfo value to open its properties window. Change the value from 0 to 1 in the “Value data” box and then click OK.

    How to see previous logon information on the windows sign in screen

    You can now close the Registry Editor. The next time you sign in to Windows, after entering your password, you will see a display that shows you the last successful logon and any unsuccessful logon attempts. You’ll have to click OK to finish signing into Windows.

    How to see previous logon information on the windows sign in screen

    If you want to reverse these changes, all you have to do is return to the Registry Editor and change the DisplayLastLogonInfo value from 1 back to 0.

    Download Our One-Click Registry Hack

    How to see previous logon information on the windows sign in screen

    If you don’t feel like diving into the Registry yourself, we’ve created two downloadable registry hacks you can use. One hack shows the previous logon info on the sign in screen and the other removes that info, restoring the default setting. Both are included in the following ZIP file. Double-click the one you want to use, click through the prompts, and then restart your computer.

    These hacks are really just the System key, stripped down to the two values we described above, and then exported to a .REG file. Running the “Show Last Logon Info at Sign In” hack changes the DisplayLastLogonInfo value to 1. Running the “Remove Last Logon Info at Sign In Personal Info at Logon” hack sets the value back to 0. And if you enjoy fiddling with the Registry, it’s worth taking the time to learn how to make your own Registry hacks.

    Pro and Enterprise Users: Show Previous Logon Information with the Local Group Policy Editor

    If you’re using Windows 10 Pro or Enterprise, the easiest way to show previous logon information at sign in is by using the Local Group Policy Editor. It’s a pretty powerful tool, so if you’ve never used it before, it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway.

    In Windows 10 Pro or Enterprise, hit Start, type gpedit.msc, and press Enter.

    How to see previous logon information on the windows sign in screen

    In the Local Group Policy Editor, in the left-hand pane, drill down to Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options. On the right, find the “Display information about previous logons during user logon” item and double-click it.

    How to see previous logon information on the windows sign in screen

    In the properties window that opens, select the Enabled option and then click OK.

    How to see previous logon information on the windows sign in screen

    Exit the Local Group Policy Editor and restart your computer (or sign out and back in) to test the changes. If at any time you want to remove the logon information from the sign in screen again, just follow the same procedure and set that option back to disabled.

    And that’s it. If you’re using any version of Windows from Vista through 10 (remember, local accounts only in Windows 8 and 10), you can have Windows display previous logon information whenever a user signs in. At the very least, knowing whether or not other people have tried logging onto your user account is good information to have. And putting that information right on the sign in screen makes it hard to miss.

    This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

    • Forums home
    • Browse forums users
    • FAQ

    Asked by:

    Question

    I am in charge of Active Directory in my company. I have a main DC computer running on WindowsServer2012R2, and a group of windows computers, between Windows10 and Windows2012R2 that are joined to the domain defined in the DC. There is a GPO in the DC that sets the “Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options
    Display information about previous logons during user logon = ENABLED “

    So every time the other window comps are restarted, they get this policy from the DC and it sets a key in the registry, DisplayLastLogonInfo = 1. Because of this, no domain user can login to the computer, only local users can login. As local admin user, I go and set DisplayLastLogonInfo=0 then domain users can login. But then we lose the option to see the information from last user login. And well, if the computer gets restarted, again I have to do the same trick of setting DisplayLastLogonInfo=0…

    We’ve had the option for “Display information about previous logons during user logon = ENABLED” for the last 2 years already, started on WindowsServer2008R2 and Windows7; then a year ago we updated to WindowsServer2012R2 and Windows10. The policy worked fine…until lately, last 2 months approximately, suddenly it started to show this behavior.

    When I searched on the internet I see as solution to Disable this policy and/or set DisplayLastLogonInfo=1…but then we lose the option to display the last login info, and that is required by my company.

    What can I do to have both, the option to display last login information AND have all our domain users be able to login?

    Windows has a useful feature that allows to display the information about the last interactive sign-in attempt directly on Windows Welcome screen. It looks like this: each time when a user types the password to logon into the system, the information about the date and time of the last successful or failed login attempt appears (as well as the number of failed logon attempts). If a wrong password is entered when trying to sign in to the system (e. g., in case of an unauthorized access attempt), during the next system startup, the user will see a notification of a failed logon attempt.

    In this article, we’ll consider how to display the information about the last interactive logon on the Windows Welcome screen. This feature is available in all Windows OSs, starting from Windows Vista, and to operate on the domain level it requires the functional domain level of Windows Server 2008 or later. In this version the Active Directory schema has got a number of new user attributes containing the information about the interactive logon attempts.

    1. msDS-FailedInteractiveLogonCount is the number of failed sign-in attempts after the policy of collecting data has been enabled
    2. msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon is the number of the failed interactive sign-in attempts since the last successful logon
    3. msDS-LastFailedInteractiveLogonTime is the time of the last failed logon attempt
    4. msDS-LastSuccessfulInteractiveLogonTime is the time of the last successful attempt to log on to the workstation

    The attributes specified above, unlike to the well-known attributes such as lastLogon, lastLogontimeStamp, badPasswordTime and badPwdCount (appeared in Windows 2000), are replicated among all domain controllers.

    You can enable the display of the information about the previous attempts to log in to the system using the group policy. To do this, open the local Group Policy Management Editor gpedit.msc (if you need to enable this feature on this computer for a local account) or gpmc.msc (to create or modify a domain policy) and go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Logon Options. We need Display information about previous logons during user logon policy.

    To enable this policy, change its value to Enabled and save the changes.

    How to see previous logon information on the windows sign in screen

    The policy will be enabled on all computers running Windows Vista or later. Windows XP and Windows Server 2003 ignore this policy.

    Now you only have to apply this policy to a target computer.

    • If a local policy is used, you’ll only have to run gpupdate /force and log in to the system again (the policy is applied only to the local accounts).
    • If the domain GPO is used, this policy should be firstly applied to all domain controllers. After its replication is completed and applied to all DCs, you can assign the policy to a certain Active Directory container.

    At the next logon after the password of the account is entered, the following notification appears:
    Successful sign-in. The last time you interactively signed in to this account was: …
    Unsuccessful sign-in. There have been no unsuccessful interactive sign-in attempts with this account since your last interactive sign-in

    How to see previous logon information on the windows sign in screen

    To continue logon, the user has to click OK (or press Enter).

    On the local PCs without the Group Policy Management Editor (Windows Home Editions), this feature can be enabled in the Registry Editor. To do it:

    1. Run regedit.exe
    2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    3. Edit (or if there is no such parameter, create it) the DWORD parameter DisplayLastLogonInfo
    4. To enable the display of the information about the last logon, enter 1. To disable this feature, enter 0.

    The feature of monitoring the last interactive logon is convenient to detect attempts of the password attack on the Active Directory, as well as meeting regulatory requirements and auditing by monitoring the source and time of the attempt to access the user account.

    KB ID 0000460В

    Problem

    By default Windows will display the last user that successfully logged on, on shared machines or in a secure domain environment you might not want this..

    How to see previous logon information on the windows sign in screen

    Solution

    On a Single (stand alone) machine.

    1. Click start and in the run/search box type gpedit.msc

    2. Navigate to > Computer Configuration > Windows settings > Security Settings > Local Policies > Security Options > “Interactive Logon: Do not display last user name”.

    How to see previous logon information on the windows sign in screen

    3. Simply enable the policy.

    How to see previous logon information on the windows sign in screen

    4. Reboot the PC or run gpupdate /force.

    In a Windows Domain Environment

    Note: This procedure was carried out Server 2008 R2.

    1. On one of your domain controllers > Start > Administrative Tools > Group Policy Management Console > Either select and existing policy or create and link one to the COMPUTERS you want this policy to affect. Then edit the policy.

    2. Navigate to > Computer Configuration > Policies > Windows settings > Security Settings > Local Policies > Security Options > “Interactive Logon: Do not display last user name”.

    How to see previous logon information on the windows sign in screen

    3. Tick to define the policy, and set it to enabled.

    If you are security conscious, you may want to hide or remove the last username of the last logged in users. In this post, we will see how to activate the Do not display last username setting in Windows 10/8/7 login screen, using Group Policy and Registry Editor.

    Do not display last username in Logon Screen

    1] Using Group Policy

    Type secpol.msc in Windows Start Search and hit Enter. This will open the Local Security Policy Editor. Navigate to Security Settings > Local Policies > Security Options.

    How to see previous logon information on the windows sign in screen

    Now on the right-hand side, look for Interactive Logon: Do not display last username. Right-click on it and open its Properties. Set it to Enabled > Apply.

    This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to log on is displayed.

    2] Using Registry Editor

    Secpol.msc is available only in Windows Ultimate, Pro and Business.

    However, secpol is basically just a GUI for the registry settings found in the registry at:

    Users of other versions of Windows may do the following. Open regedit and navigate to this key mentioned above.

    Right click > dontdisplaylastusername > Modify > Value Data > 1 > OK.

    This should do the job.

    Best to always create a System Restore point before working in the registry.

    In this post, You will learn the steps to Do Not Display Last Signed In user name using Intune, aka Endpoint Manager. This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer’s respective Windows logon screen.

    By default, the sign-in screen will show the names of added accounts for a user to select their account and provide their sign-in credentials. Before Windows 10 version 1703, this policy setting was named Interactive logon: Do not display last user name. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.

    Why do you not display the last signed-in user name on devices? It could be the possibility that an attacker with access to the console (for example, someone with physical access or someone who can connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on.

    • Enable Interactive Logon CTRL ALT DEL Using Intune
    • Hide Change Account Settings Using Intune
    • Remove Microsoft Teams Chat Icon From Taskbar Using Intune

    Do Not Display Last Signed In User Name Using Intune

    Let’s follow the below steps to Do Not Display Last Signed In User Name using Intune –

    • Sign in to the https://endpoint.microsoft.com/
    • Select Devices >Windows >Configuration profiles >Create profile

    In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.

    On the Basics tab, enter a descriptive name, such as Do Not Display Last Signed In User Name. Optionally, enter a Description for the policy, then select Next.

    In Configuration settings, click Add settings.

    On the Settings Picker windows, Select Local Policies Security Options to see all the settings in this category. Select Do Not Display Last Signed In below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker

    The setting is shown and configured with a default value Disabled. Set Do Not Display Last Signed In to Enabled. Click Next.

    Interactive Logon Do Not Display Last Signed In – This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be displayed. If this policy is disabled, the username will be shown.

    Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.

    In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
    In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

    A notification will appear automatically in the top right-hand corner with a message. Here you can see, Policy ” Do Not Display Last Signed In User Name” created successfully. The policy is also shown in the Configuration profiles list.

    Your groups will receive your profile settings when the devices check-in with the Intune service. Once the policy applies to the devices, Windows sign-in screen will not show the username of the last person who signed in on the device. The name of the last user to successfully log on will not be displayed in the Windows logon screen.

    Author

    About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

    How to view users logon activity in Windows? Do you need to know the time of the last login? In this tutorial we’ll show you how to deploy a GPO in Windows to display information about previous logons during user logon. This feature works on all computers running Windows 10/8/7, Windows Server2008 or later.

    Method 1: Show Previous Logon Information with Group Policy Editor

      Press the Windows key + R to open the Run command box. Type gpedit.msc and press Enter.

    How to see previous logon information on the windows sign in screen

    In the Local Group Policy Editor, drill down to Computer Configuration >Administrative Templates >Windows Components >Windows Logon Options.

    On the right panel, find the “Display information about previous logons during user logon” policy and double-click it.
    Select the Enabled option. Click OK and restart your computer.

    The next time you log into Windows, after entering your password, you will see the following screen that shows you the time of last successful logon and unsuccessful logon attempts. Click OK and it takes you to the desktop.

    How to see previous logon information on the windows sign in screen

    Method 2: Show Previous Logon Information with Registry Hack

    If you have a Windows Home edition, you need to use the following registry hack to enable the “Display information about previous logons during user logon” policy on your computer.

      Press the Windows key + R to open the Run box. Type regedit and press Enter.

    How to see previous logon information on the windows sign in screen

  • When the Registry Editor opens, navigate to the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Look for the REG_DWORD value DisplayLastLogonInfo in the right panel. If it doesn’t exist, right-click the empty space and choose New >DWORD (32-bit) Value. Name the new value DisplayLastLogonInfo.
  • Double-click DisplayLastLogonInfo and then change the value from 0 to 1. Click OK. (If you don’t want Windows to show previous logon information after sign-in, just change the DisplayLastLogonInfo value back to 0)

  • Close Registry Editor and restart your computer. The next time you log into your Windows account it will display last interactive logon information on the welcome screen.
  • The login screen is the first thing you see each time you start your Windows 10 computer, so you may want to customize it.

    You can set it to show a picture from your photo library, a stock photo selected by Windows, or choose a set of photos to use as a slideshow.

    There’s only one caveat: In order to customize the Windows 10 login screen, you need to make it the same as the lock screen. You can’t configure them separately. This means, however, that if you’re looking to change the sign-in screen, you can just follow the same directions.

    Check out the products mentioned in this article:

    Windows 10 (From 134.99 at Best Buy)

    Lenovo IdeaPad (From 299.99 at Best Buy)

    How to change the Windows 10 login screen

    1. Click the Start button and then click the Settings icon (which looks like a gear).

    2. Click “Personalization.”

    3. On the left side of the Personalization window, click “Lock screen.”

    4. In the Background section, choose the kind of background you want to see. You can choose Windows Spotlight (Windows will choose a stock photo), Picture (you choose a photo from your photo library), or Slideshow (you choose a folder that contains the photos you want to see rotate through the login screen).

    5. Turn on “Show lock screen background picture on the sign-in screen” by sliding its button to the right.

    In Windows 10 you can no longer change the last logged on user in the registry like you could in Windows 7. Windows 10 requires the user’s SID to be entered as well. Here’s an updated guide.

    In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI , you’ll want to change 4 entries:

    • LastLoggedOnDisplayName
      • Enter the user’s full name, like Allan Jude
    • LastLoggedOnSAMUser
      • Enter the username, like SHORTDOMAIN\allan.jude
    • LastLoggedOnUser
      • Enter the username again, like SHORTDOMAIN\allan.jude
    • LastLoggedOnUserSID
      • Enter the user’s SID, like S-1-5-21-112783954-3472839473-6329827380-1437
      • You can find the exact SID with wmic useraccount where name=’allan.jude’ get sid
      • Or you can search through the list of all users with wmic useraccount , and pipe it into Windows’s version of grep, which I find easier to remember: wmic useraccount | findstr allan

    Now you can log out, and you should be good to leave the workstation for the user.

    thefreakquency commented Sep 25, 2017

    You could use the following in a Powershell script if needed:

    write-host “[INFO] Changing the last logged on user: ” $USER = ‘DOMAIN\USER’ #change this variable with the target information $USERDISPLAY = ‘Full User Name’ #change this variable with the target information $USERSID = (New-Object System.Security.Principal.NTAccount($USER)).Translate([System.Security.Principal.SecurityIdentifier]).value write-host “[INFO] Changing LastLoggedOnDisplayName registry key -> ” -NoNewline reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnDisplayName /t REG_SZ /d $USERDISPLAY /f write-host “[INFO] Changing LastLoggedOnSAMUser registry key -> ” -NoNewline reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnSAMUser /t REG_SZ /d $USER /f write-host “[INFO] Changing LastLoggedOnUser registry key -> ” -NoNewline reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnUser /t REG_SZ /d $USER /f write-host “[INFO] Changing LastLoggedOnUserSID registry key -> ” -NoNewline reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnUserSID /t REG_SZ /d $USERSID /f

    This could be ran at each user log-out if you need to default to a single user on a given machine.

    We show you how to enable the ‘Do Not Display Last User Name’ Policy to increase security on the sign-in screen.

    Windows 10 brings plenty of upgrades to the sign-in experience, but it also comes with some annoyances. One of them is its insistence on showing the user who last signed-in. This can be an issue in some environments where security is important, but you can enforce a ‘Do not display last user name’ policy to remedy this.

    Enabling the policy will prevent the full name of the last user from displaying on the sign-in screen. Instead, it will just display “Other user” at startup, making it harder for someone to guess the credentials.

    If the computer has been signed into and recently locked or restarted, it will instead show the currently active user and a ‘Switch user’ button in the bottom left corner, rather than a username and profile picture. With that explained, let’s jump into how to enable the ‘Do not Display last signed-in user name’ policy in Windows 10:

    How to Enable ‘Do Not Display Last Signed-In User Name’ via Local Security Policy

    As with most methods, there’s a user-friendly and non-user-friendly way of doing things. The most UI-heavy method is the Local Security Policy app, which we’ll cover first.

      Open Local Security Policy

    Press “Windows + R”, type “secpol.msc”, and press “OK” to open the Local Security Policy app.

    Navigate to the “Interactive Login: Don’t display last signed-in” policy

    In the left sidebar, navigate to “Local Policies > Security Options”. In the main pane, double-click “Interactive logon: Don’t display last signed-in”.

    Switch “Interactive Logon: Do not display last username” to “Enabled”

    Press “OK” when you’re finished.

    Read the Explainer

    Switch to the “Explain” tab if you’d like more information on the behavior of the sign-in/log-in screen in different scenarios. Enabling the policy disables the username display while disabling it shows the username.

    How to Enable ‘Interactive Logon: Do Not Display Last User Name’ via Registry Editor

    If you don’t have access the the Local Security Policy editor, which may be the case for Windows 10 Home users, you can edit your registry for the same effect.

      Open the Registry Editor

    Press “Windows + R” and type “regedit”. Click “OK”.

    Navigate to the system policies key and edit the “dontdisplaylastusername” DWORD

    In the search bar, paste: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System .

    Double-click the “dontdisplaylastusername” DWORD to edit it, setting it to “0” to turn off the last user name or “1” to keep them on.

    The first step in tracking logon and logoff events is to enable auditing. You can tell Windows the specific set of changes you want to monitor so that only these events are recorded in the security log.

    To check user login history in Active Directory, enable auditing by following the steps below:

    • 1 Run gpmc.msc (Group Policy Management Console).
    • 2 Create a new GPO.
    • 3 Click Edit and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Under Audit Policies, you’ll find specific settings for Logon/logoff and Account Logon.
    Logon/logoff:
    • Audit Logon > Define > Success and Failure.
    • Audit Logoff > Define > Success.
    • Audit Other Logon/Logoff Events > Define > Success.
    Account Logon:
    • Audit Kerberos Authentication Service > Define > Success and Failure.
  • 4 To link the new GPO to your domain, right-click . Select Link an Existing GPO and choose the GPO that you created.
  • By default, Windows updates Group Policy every 90 minutes; if you want the changes to be reflected immediately, you can force a background update of all Group Policy settings by executing the following command in the Windows Command Prompt:

    Now, when any user logs on or off, the information will be recorded as an event in the Windows security log.

    To view the events, open Event Viewer and navigate to Windows Logs > Security. Here you’ll find details of all events that you’ve enabled auditing for. You can define the size of the security log here, as well as choose to overwrite older events so that recent events are recorded when the log is full.

    Understanding event IDs associated with logon and logoff activity.

    Event ID 4624 – An account was successfully logged on.

    This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs.

    Event ID 4634 – An account was logged off.

    This event signals the end of a logon session.

    Event ID 4647 – User initiated logoff.

    This event, like event 4634, signals that a user has logged off; however, this particular event indicates that the logon was interactive or RemoteInteractive (remote desktop).

    Event ID 4625 – An account failed to log on.

    This event documents every failed attempt to log on to the local computer, including information on why the logon failed (bad username, expired password, expired account, etc.) which is useful for security audits.

    All the event IDs mentioned above have to be collected from individual machines. If you’re not concerned with the type of logon or when users log off, you can simply track the following event IDs from your DCs to find users’ logon history.

    Event ID 4768 – A Kerberos authentication ticket (TGT) was requested.

    This event is generated when the DC grants an authentication ticket (TGT). That means a user has entered the correct username and password, and their account passed status and restriction checks. If the ticket request fails (account is disabled, expired, or locked; attempt is outside of logon hours; etc.), then this event is logged as a failed logon attempt.

    Event ID 4771 – Kerberos pre-authentication failed.

    This event means that the ticket request failed, so this event can be considered a logon failure.

    You probably noticed that logon and logoff activity are denoted by different event IDs. To tie these events together, you need a common identifier.

    The logon ID is a number (unique between reboots) that identifies the most recently initiated logon session. Any subsequent activity is reported with this ID. By associating logon and logoff events with the same logon ID, you can calculate the logon duration.

    Limitations of native auditing tools.

    • All local logon and logoff-related events are only recorded in the security log of individual computers (workstations or Windows servers) and not on the domain controllers (DCs).
    • Logon events recorded on DCs do not hold information sufficient to distinguish between the various logon types, namely, Interactive, Remote Interactive, Network, Batch, Service, etc.
    • Logoff events are not recorded on DCs. This information is vital in determining the logon duration of a particular user.

    This means you have to collect information from DCs as well as workstations and other Windows servers to get a complete overview of all logon and logoff activity within your environment. The process is painstaking and could quickly get frustrating.

    An easier way to audit logon activity.

    So, what if there was an easier way to audit logon activity? A tool like ADAudit Plus audits specific logon events as well as current and past logon activity to provide a list of all logon-related changes.

    With ADAudit Plus, you can instantly view reports on
    • User logon history
    • Domain controller logon history
    • Windows server logon history
    • Workstation logon history

    This information is provided on an easily understandable web interface that displays statistical information through charts, graphs, and a list view of canned and customized reports.

    System administrators use the computers’ last logon by users report to check for unauthorized logons to their organization’s Active Directory. In the event of a cyber attack, having a report of the users’ last logon time on a workstation can accelerate forensic analysis and contain the damage.

    The following is a comparison to obtain a user’s last logon on a workstation using native auditing and ManageEngine’s ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

    Download for FREE Free, fully functional 30-day trial

    With Native AD Auditing

    With ADAudit Plus

    Using ManageEngine’s ADAudit Plus to obtain a user’s last logon on a workstation:

    Login to ADAudit Plus web console as an administrator.

    Navigate to the Reports tab and from the User Logon Reports section in the left pane, select Last Logon on Workstations.

    In the top right corner, select the Domain from the drop down list and click Generate.

    Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

    Following are the limitations to obtain a report of a user’s last logon on a computer using native tools like Windows PowerShell:

    The script can be executed only from the computers which has Active Directory Domain Services role and auditing needs to be turned on on each computer.

    It’s difficult to change date formats, and apply different time zones on the date results.

    To obtain the report in a different file format, the script must be modified accordingly which is a time-consuming and redundant process.

    Applying more filters like OU or ‘User name starts with’ will increase the LDAP query complexity.

    ADAudit Plus will generate the report of last logon of users in a particular workstation and display it in a simple and intuitively designed UI.

    Using native auditing to find a user’s last logon time on a workstation:

    Step 1: Open Active Directory Users and Computers and make sure Advanced features is turned on.

    Step 2: Browse and open the user account.

    Step 3: Click on Attribute Editor.

    Step 4: Scroll down to view the last Logon time.

    If you have multiple domain controllers, you will need to check this value on each one to find the most recent time.

    Native auditing becoming a little too much?

    Simplify Active Directory auditing and reporting with ADAudit Plus.

    Get Your Free Trial Fully functional 30-day trial

    These instructions apply only to staff computers. IT station and classroom computers can be logged in with only one username at a time.

    Typically, staff computers are used by only one user. Windows computers remember the most recent user but, in addition, a temporary login, i.e. switching the user temporarily, can be performed in staff computers.

    These instructions describe logging in and out and switching users in staff computers.

    Separate instructions for operating systems:

    Table of contents

    • Windows 10
    • Mac

    Windows 10

    Sign in

    How to see previous logon information on the windows sign in screen

    • Press Ctrl-, Alt- and Delete.
    • If you can see your account name in the screen:
      • Write to Password field your password.
      • Click Arrow or press Enter.
    • If you see other account name in the screen:
      • Click Switch User.
      • Choose Other User

    How to see previous logon information on the windows sign in screen

    • Write to User name field your user name (for example rkeskiva).
    • Write your password to the Password field.
    • Click Arrow or press Enter.

    Logging out

    • When you want to log out click Start (1) Person icon (2) and choose Sign out (3).

    You have been logged out from the system.

    You can switch users temporarily on centrally maintained Mac computers.

      Click the human figure in the top bar and select Login window. in the opening menu.

    How to see previous logon information on the windows sign in screen

  • In the login page from the top bar you can also see which usernames are logged in (see above image).
  • You are directed to the login page where you can enter the credentials of another user. Finally, click Enter.

    Using ‘Net user’ command we can find the last login time of a user. The exact command is given below.

    Example:
    To find the last login time of the computer administrator

    For a domain user, the command would be as below.

    How to find the last user logged into the machine?
    IS there any way to find this from command line?

    function Get-ADUserLastLogon([string]$userName)
    <
    $dcs = Get-ADDomainController -Filter
    $time = 0
    foreach($dc in $dcs)
    <
    $hostname = $dc.HostName
    $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon
    if($user.LastLogon -gt $time)
    <
    $time = $user.LastLogon
    >
    >
    $dt = [DateTime]::FromFileTime($time)
    Write-Host $username “last logged on at:” $dt >

    Get-ADUserLastLogon -UserName XXXXX

    I think from event log we can find the last logged in user name. I do not know of any way to know this from command line.

    I run CMD with Admin right. But I receive MSG: “FINDSTR: Can not open logon”?

    May you explain me?

    I think you have executed something like below
    net user administrator | findstr /B /C:Last logon
    You may have missed double quotes around ‘Last Logon’. Run the command “net user administrator | findstr /B /C:”Last logon”. It would print the last login time.

    what command to use if we want to see last 5 logons ??

    You can also see it by typing this in cmd (Command Prompt):

    net user(press enter key)

    then again type
    net user xxx

    xxx- name of username you obtained from first command of net user

    I think net user xxx will only show the last time the user “logged on”, which will not be reflected in a restart of Windows if you have the account set to not require a password logon initially. This date and time will only be accurate if the user had to actually put in a password and “log on”.

    I think a better alternative is

    This will show the date and time the user account logged on, and will reflect any restart of Windows that bypassed the login process.

    C:>quser Jeffrey
    USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
    >jeffrey console 2 Active none 1/16/2016 11:20 AM

    quser worked perfectly!! I was having trouble with “net user” on my work computer because of how the network is configured (I don’t have admin rights) but quser worked!

    How can I use this to show more than one value. In example if may wanted to show User name and Password last set. Thanks!

    Is there a way to run this command on an OU in AD so that I could export a list of users in said OU with their last log on dates?

    ‘net’ is not recognized as an internal or extarnal command,operable program or batch file

    this is occur what can i do for it..

    Is there a way in CMD to get last 3

    6 user logon with date & time or duration & save it in text file. I have a hard time to find a culprit student who love to sabotage my labs keyboard button.

    QUser cblackburn was what I needed thank you. Is there a different command that will show me the last time I locked or unlocked the machine which would still be more recent. I know this is in the event viewer, but it’s a mess.

    Works perfectly for local users on Server 2008 R2

    what command to use if we want to see last 10 logons ??

    How can one find the last time a user logged into a machine?
    IS there any way to find this from command line?

    kumar’s answer does not work for A user, on A machine. It provides when the user logged into some computer on the domain.

    This only works for local accounts.

    Did you try the /DOMAIN switch after the logon name?

    which command ?? to see which last user has used the following machine xxx.

    this needs to be updated for Windows 10, since users often logon with PIN or face. There should be another different cmd to display the last “logon” from that. People don’t typically logon with a password any more. It’s mostly with PIN or face.

    For 1809 and upper builds this solution not work 100%
    CMD was return nothing.

    How can change the cmd to obtain this for all local users at once.
    So I would not have to retype this cmd for every single user.

    SETLOCAL EnableDelayedExpansion
    FOR /D %%A in (“c:\Users\*”) DO (
    set “userProfile=%%

    nxA”
    net user !userProfile! /domain | findstr /C:”Last logon”
    )

    Find won’t work if the output is localized

    net user john /domain | findstr /C:”Last logon”

    This may not give a logon date if you have multiple domain controllers. For example newer domain controllers may not have a logon date for a user.

    How to see previous logon information on the windows sign in screen

    If you’re a Windows 10 user, you know the logon screen displays your username, account photo, and email address. For better security here’s how to hide it.

    If you’re a Windows 10 user, you know the logon screen displays your username, account photo, and email address. Whether you’re using a Microsoft account or creating a local account, the information displayed makes it easier to log into your system.

    How to see previous logon information on the windows sign in screen

    When you reach the login screen in Windows 10, your photo, email, and name appear on it.

    However, if you want a more secure system, especially on shared PCs, one thing you can do is hide that data. Hiding that data makes it much harder for another person to gain access to your data. Currently, Windows 10 doesn’t have a way to do it in its native settings. But you can hide the data by using Group Policy in Windows 10 Pro or a registry hack in the Home version.

    Use Group Policy in Windows 10 Pro or Enterprise

    Launch Group Policy and head to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Then double-click on Interactive Logon: Display user information when the session is locked.

    How to see previous logon information on the windows sign in screen

    Then under the Local Security Setting tab, change the dropdown to Do not display user information and click Apply.

    How to see previous logon information on the windows sign in screen

    Next, in the same section, double-click on Interactive logon: Do not display last user name. Then under the Local Security Setting tab, set it to Enabled and click Apply.

    How to see previous logon information on the windows sign in screen

    Hide Username and Email from Login Screen Windows 10 Home

    Group Policy isn’t available in Home versions of Windows, but you can still do this with a registry hack.

    Important! Tweaking the registry isn’t for the faint of heart. If you do something wrong, you could mess up your computer and make it unstable. Before making any changes to the registry, make sure to back it up, or for something more user-friendly, create a Restore Point first.

    Click the Start button and type: regedit and hit Enter or select the registry editor from the search results.

    How to see previous logon information on the windows sign in screen

    Now head to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Then double-click on the dontdisplaylastusername entry and change the value from 0 to 1 and click OK.

    How to see previous logon information on the windows sign in screen

    Next, in the right panel, create a new DWORD 32-bit value and give it the name DontDisplayLockedUserID and make the value data of 3.

    How to see previous logon information on the windows sign in screen

    After you’re done, close out of Registry Editor and restart your computer. Now, instead of seeing your photo, email, and name on the login screen, you’ll see that your photo is now a generic logo. In addition, your name has been replaced by “Unlock the PC,” and you’ll need to type in your email address and then your password.

    It’s also worth noting that if you’ve added other users to your computer, those accounts will no longer be displayed in the lower-left corner either. Instead, each person will have to log in to their respective accounts manually.

    A recent update to Microsoft Office has caused a login pop-up to appear in Microsoft Office. Whether you hit cancel or log in, the prompt returns

    How to see previous logon information on the windows sign in screen

    Step-by-step guide

    If you continue to receive the pop-up message, please follow the procedure below to get rid of the message.

    1. Turn off Cache Exchange Mode
      1. In Outlook click on File, Account Settings→ Account Settings
      2. Select your name and click Change
      3. If there is a check mark beside Use Cached Exchange Mode, remove it and click Next
      4. You might get a warning telling you that you need to restart Outlook for the changes to take effect. Click OK
      5. Click finish and Close to close the Account Settings window
    2. Close Outlook
    3. Open Microsoft Word
    4. Click on File → Account
    5. In the main window, under User Information click on the Sign out link
    6. Confirm you want to sign out
    7. If the screen refreshes but you still see a Sign out link, repeat the steps
    8. Once you are signed out, close Word
    9. Wait 5 seconds
    10. Open Word
    11. If you are prompted to sign in, you will sign in with your RRU Office 365 account ([email protected]) and then enter your RRU password
      (If you do not see the prompt, open a blank document then click on File → Account and press Sign in under User Information)
    12. If you get no error, close Word
    13. Wait 5 seconds
    14. Open Outlook
    15. You should not be prompted again however in some cases you will see the box pop up again for every shared mailbox you are connected to. If this happens, then when prompted to log in
      1. Please make sure the option for “Remember my credentials” is checked off
      2. Make sure the username is is your Microsoft Office 365 username ([email protected]) and enter your RRU password.
        How to see previous logon information on the windows sign in screen
      3. Click OK
    16. Repeat for every shared mailbox you have

    You should get NO further prompts. If you do, please contact Computer Services to let us know and we will investigate further.

    Contact Computer Services for assistance

    As always, should you need further assistance, please contact Computer Services by phone, email or Online Request Form

    Finding PowerShell Last Logon by User Logon Event ID

    How to see previous logon information on the windows sign in screen

    Adam Bertram

    Read more posts by this author.

    There are many fancy tools out there to monitor user login activity. What if I told you, you didn’t need to spend any money by building a PowerShell last logon and history script? You can find the last logon date and even the user logon event ID with the Windows event log and a little PowerShell!

    In this article, you’re going to learn how to build a user activity PowerShell script. This script will pull information from the Windows event log for a local computer and provide a detailed report on user login activity.

    Table of Contents

    Prerequisites

    If you’re in an AD environment be sure you:

    • are on a domain-joined Windows 10 PC
    • are logged in with an account that can read domain controller event logs
    • have permission to modify domain GPOs

    Audit policies to enable login auditing will be set via GPO in this article. But you can use local policies instead.

    Enabling Audit Policies

    To ensure the event log on the computer records user logins, you must first enable some audit policies. In this article, you’ll learn how to set these policies via GPO. But if you don’t have AD, you can also set these same policies via local policy.

    To report on the time users have been logged in, you’ll first need to enable three advanced audit policies.

    • Audit Logoff – When a user is logged off.
    • Audit Logon – When a user authenticates to Windows
    • Audit Other Logon/Logoff Events – Computer lock, unlocks, RDP connects and disconnects

    Enabling all of these audit policies ensures you capture all possible activity start and stop times.

    When you enable these audit policies on a local PC, the following user logon time event IDs (and logoff IDs) will begin to be recorded in the Windows event logs to enable finding via PowerShell last logon events. Each of these events represents a user activity start and stop time.

    • Logon – 4624
    • Logoff – 4647
    • Startup – 6005
    • RDP Session Reconnect – 4778
    • RDP Session Disconnect – 4779
    • Locked – 4800
    • Unlocked – 4801

    You can see an example below of modifying the Default Domain Policy GPO. You’d modify this GPO if enabling these policies on all domain-joined PCs. You may also create your own auditing policy GPO and assign it to various OUs as well.

    Understanding User Logon Sessions and PowerShell Last Logon

    Once all of the appropriate events are being generated, you’ve now got to define user login sessions. I’m calling a user session as the total time between when the user begins working and stops; that’s it. To build an accurate report, the script must match up the start and end times to understand these PowerShell last logon sessions.

    The concept of a logon session is important because there might be more than one user logging onto a computer. To match up start/stop times with a particular user account, you can use the Logon ID field for each event.

    To figure out the start and stop times of a login session, the script finds a session start time and looks back through the event log for the next session stop time with the same Logon ID. Once that event is found (the stop event), the script then knows the user’s total session time.

    You can see an example of an event viewer user logon event id (and logoff) with the same Logon ID below.

    In this example, the LAB\Administrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. By searching earlier in the event log, a session end event (ID 4634) was found with the same Logon ID at 5:30PM on the same day. By now knowing the start time and stop time for this particular login session, you can then deduce that the LAB\Administrator account had been logged on for three minutes or so.

    The User Login History Script

    Once the policies are enabled and you understand the concept of a login session, you can then start writing some PowerShell to find PowerShell last logon events.

    Rather than going over this script line by line, it is provided in its entirety below. You can also download it from this GitHub repo.

    In summary, the script below:

    1. Defines all of the important start and stop event ID necessary for PowerShell last logon events.
    2. Creates an XPath query to find appropriate events.
    3. Queries each computer using XPath event log query.
    4. Finds the start event IDs and attempts to match them up to stop event IDs.
    5. Outputs start/end times with other information.

    Note: This script may need some tweaks to work 100% correctly. Please issue a GitHub pull request if you notice problems and would like to fix them.

    More from Adam The Automator & Friends

      How to see previous logon information on the windows sign in screen

    Get this interactive comic book to learn how Veeam and AWS can help you fight ransomware, data sprawl, rising cloud costs, unforeseen data loss and make you a hero!

    How to see previous logon information on the windows sign in screen

    ATA is known for its high-quality written tutorials in the form of blog posts. Support ATA with ATA Guidebook PDF eBooks available offline and with no ads!

    How to see previous logon information on the windows sign in screen

    Check out all of the ATA recommended resources!

    The Rite Group is an IT service provider.

    So when user A) logs in they will get a prompt that would display something like below

    Unsuccessful Logins since Last login: 2
    Last Successful Login: 5/20/2014 3:33 PM

    Follow the steps here:

    This will give the user a message when they logon about the last time they logged on, and the last failed logon attempt (if any).

    Even better, there will be four (4) new directory attributes populated with logon information that you can query.

    This works on Windows 7 clients. Read the article concerning other clients you may have.

    • Show off your IT IQ. Take the Challenge »
    • What are the best practices for moving from on premise AD to the Cl.
    • Changing Domain name w/ AD connect and Microsoft 365
    • Enable LDAP over SSL/TLS in AD WITHOUT installing AD Certificate Se.
    • ROM
    • CPU
    • RAM
    • GPU

    12 Replies

    You could use a batch that runs at log in to display something using ‘net user’. Should be fairly simple to create using the string below or something similar.

    >net user username /DOMAIN | findstr /B /C:”Last logon”

    UTSEC.NET is an IT service provider.

    SNAPSHOT TIME in bginfo will give last login time to the user on their desktop if you configure bginfo to run on login.

    This page might be helpful in finding how to find the bad password count:

    Follow the steps here:

    This will give the user a message when they logon about the last time they logged on, and the last failed logon attempt (if any).

    Even better, there will be four (4) new directory attributes populated with logon information that you can query.

    This works on Windows 7 clients. Read the article concerning other clients you may have.

    The command line above works but needs to have the username variable.

    net user %username% /DOMAIN | findstr /B /C:”Last logon”

    Otherwise a quick and easy way to do it.

    Another option is powershell. This way you can display the logon info in a popup box and not just as a command line entry that would need to be paused on the screen.

    Try this code as well. Sorry about the formatting.

    # Here’s the function that will return the last logon date and time

    $dcs = Get-ADDomainController -Filter

    foreach($dc in $dcs)

    $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon

    if($user.LastLogon -gt $time)

    Write-Host $username “last log on was:” $dt

    Get-ADUserLastLogon -UserName $LoggedUser

    Start-Sleep -Seconds 10 #Displays the screen for 10 seconds then closes

    Mark, you can use the code button to format your code better:

    Couple of problems with the code, one is just intrinsic with Active Directory and another with PowerShell. The Get-AD* cmdlet’s are part of RSAT and those tools would have to be installed in order to use them. This also puts Active Directory Users & Computers and the other AD tools on the workstation. Probably not something you want on every workstation. The Net User command is pretty good, but it exposes the other problem:

    Last Logon is pretty inaccurate in Active Directory. If you have Windows 2008 domain controllers you can use the LastLogonDate to get the Last Logon information. The problem is this field is replicated very slowly, and can be as much as 14 days behind! And querying all of the DC’s will NOT get the right information! Just discovered that today 🙂 Now, in smaller environments this is no big deal and this field is pretty accurate. At my current job we have 8 domain controllers in our primary domain and the LastLogonDate field was WAY behind.

    To get a truly accurate date you have to query the LastLogon field, and hit every DC (LastLogon isn’t replicated) to find out the most recent date. Not particularily useful for a login script.

    You could record it yourself by writing the current date to a file during logon and then reading the file back at next logon.

    But to be honest, I hate login scripts that are really chatty. Better to not say anything at all, just get the user to the desktop and working as quickly as you can. IMHO, of course.

    I was able to use my Surface Pro 4 without any problem. However, after the tablet has been installed the Microsoft Cumulative maintenance, I can not login system with correct password. The screen keep showing the “Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance.” message and I could not figure out how to resolve it.

    For unknown reason, the windows update enable the GPO to show previous logons during user logon in Windows 10. To resolve the problem, you need to edit the related registry values to reset a user profile.
    * Reboot to safe mode, creat a new account to log in.
    * Press Win + R from your keyboard, type regedit in Run dialog box, and click OK button to open the registry editor.
    * Navigate to the tree below in the left pane:

    * Higlight the System folder, and go to its right side pane. Double click on the DisplayLastLogonInfo, change its value data from 1 to 0, and click OK to save changes. Then close everything and make a restarting, and you should be able to log in to the corrupted account.

    Another quick way is to shut down the connected WiFi router or disable the wifi, and login Windows 10, and then enable the WiFi feature to connect the network.

    I have also enable the “Display information about previous logons during user logon” in GPO and deployed it on our network, but still get the “Security policies on this computer…” error. To get it working, you need to apply the setting on the Domain computer first and let it propagates to apply that on the clients PC, then reboot to take effect.

    One of the interesting features of all versions of Windows including Windows 10 and Windows 8 is the ability to show detailed information about your previous logon. Every time you sign in, you will see an information screen with the date and time of the last successful logon. The same information will be displayed even if the previous logon was unsuccessful. This feature can be turned on with a simple Registry tweak.

    Tip: You can access any desired Registry key with one click.
    If you have no such key, then just create it.

  • Create a new DWORD value named DisplayLastLogonInfo and set it to 1. If you already have such a value, then just set it to 1 to enable the last logon information.
    How to see previous logon information on the windows sign in screen
  • That’s it. You are done. Log out from your Windows 10 session and sign in back. How to see previous logon information on the windows sign in screen

    The first time you will see the following screen:

    After the second logon, you will see another screen:

    Use Winaero Tweaker to avoid Registry editing

    You can use Winaero Tweaker to avoid Registry editing. Do it as follows.

    1. Download Winaero Tweaker.
    2. Run it and go to Boot and Logon\Show Last Logon Info:
    3. Tick the checkbox to enable this feature.

    See the following video:

    You can subscribe to our YouTube channel here: Youtube .

    Being able to see the last logon information is a nice security measure. It can inform you if someone else tried to use your account.

    Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

    If you like this article, please share it using the buttons below. It won’t take a lot from you, but it will help us grow. Thanks for your support!

    Author: Sergey Tkachenko

    Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube. View all posts by Sergey Tkachenko

    12 thoughts on “Show the last logon information at every logon in Windows 10”

    Indeed, I have tried this on Windows 8.1 but I will try this on my Windows 10 also. Thanks

    Don’t works here on Win 91. with Media Center 64 Bit. The Verbose Logon enabled works but last Logon Inof not will try manually in Registry.

    Windows 91 xD
    There’s no such thing as Windows 91.
    Even if you meant 95 or 98, this is for Windows 10.
    LOL

    After the “Show Last Logon Info” -tweak, Windows 10 does not display the date of the previous login, but always the current login time. Where could this phenomenon come from?

    Must be a bug in the os. Unfortunately, bugs in Windows 10 are not a surprise these days.

    To whom this bug could be useful?

    Any bugs in software are useless and annoying.

    Is there any other ways to detect that your computer is used in your absence?

    Windows Event Log can tell you everything.

    Its so fucing coplicated to run around with all those event logs ect. “Show last logon info” page is so simple and clear. I think there is no way to fix this issue. Compromised Win 10 is compromised Win 10 and dot.

    This tweak now shows the message before (at boot) and after sign-in. Any way to only have it once the user signs in?

    Leave a Reply Cancel reply

    Connect with us

    We discontinued Facebook to deliver our post updates.

    Published on : February 18, 2021

    Category : Active Directory , PowerShell

    To find user last logon time, you can use many methods. I will cover some of the easy methods to find last logon time of user. You can go with the method that you believe is easy for you.

    As a system administrator, there are many situations in which you want to find the user’s last logon date and time. You may probably want to audit an user activity or gather all the inactive users in Active Directory over a period of time etc.

    There are lot of third-party softwares that allow you to find last logon time of a user. However not many prefer to use these softwares because they mostly require a license. Even though some of them maybe free but they do come with certain limitations. These softwares need to talk to your active directory to fetch the info and some organizations don’t use it for security reasons.

    The methods covered in this post do not require any third-party softwares as we can find the user logon time with easy steps.

    Table of Contents

    Method 1 – Find User Last logon time using Active Directory

    Finding the last logon time of an user is pretty simple using Active Directory.

    • Login to a Domain Controller.
    • Launch Active Directory Users and Computers console (dsa.msc).
    • Click View and ensure Advanced features is turned on.
    • On the left pane, click Users and select any user, right click the user account and click Properties.
    • In the list of attributes, look for lastLogon. This attribute shows the time the user was last logged in the domain.

    Find User Last logon time using Active Directory

    What is LastLogon in Active Directory?

    The lastlogon AD user attribute is the most accurate way to check active directory users last logon time.

    What is LastLogonTimeStamp in Active Directory?

    The purpose of the LastLogonTimeStamp is to help identify stale user and computer accounts. Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain.

    What is the difference between Lastlogon and LastLogonTimeStamp?

    The lastlogon attribute is the most accurate way to check active directory users last login time. Lastlogon is only updated on the domain controller that performs the authentication and is not replicated. Whereas LastLogontimestamp is replicated, but by default only if it is 14 days or more older than the previous value.

    Method 2 – Find User’s last logon time using CMD

    Using the command prompt you can find last logon time of user. You don’t need a domain admin account to get AD user info.

    • Click Start and launch the command prompt.
    • Run the command – net user username /domain| findstr “Last”
    • The CMD output shows the user’s last logon time and date.

    Find User’s last logon time using CMD

    Method 3 – PowerShell Command to find User Last Logon time

    You can find the user logon date and time using PowerShell command. You can run the below command either on a domain controller or a member server.

    • Log in to a Domain Controller.
    • Import the Active Directory PowerShell module Import-Module ActiveDirectory.
    • Run the below PowerShell command to find the user’s login time with date.

    PowerShell Command to find User Last Logon time

    When you run the above command, notice that Lastlogon value is in a different format. It’s in a timestamp format and you need to convert the value to a readable format. Use the below command to convert the value to normal time. Do not forget to replace the user name with your username.

    Last Logon Time of User

    Method 4 – Find last Logon Time of User using SCCM

    From the SCCM console you can find the previous logon time of user account. SCCM uses Active Directory to fetch the information when you run the discovery methods. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the SCCM database.

    There are two prerequisites before you use SCCM to find the logon time of an user.

    • You should have enabled the SCCM discovery methods before you find the user logon details. Most of all the Active Directory user discovery method must be enabled.
    • On the Active Directory user discovery properties, ensure lastLogon and lastLogonTimestamp attributes are enabled for discovery.

    To find last logon time of user using SCCM, follow the below steps.

    • Launch the Configuration Manager console.
    • Navigate to Assets and Compliance\Overview\Users\All Users.
    • Search for the user account and right click the User object.
    • On the user properties box, click General tab.
    • The lastLogon attribute should reveal the last logon time of user account.

    Find last Logon Time of User using SCCM

    How to Change The Windows 10 & 11 Clock to 12 or 24 Hour Format

    How to Change Automatic Maintenance Times

    How to Change the Windows 10 Notification Display Time

    Show Your Support for MajorGeeks a Donation

    How to Remove the Shortcut Arrow Icon in Windows 10 & 11

    How to Reset and Renew Your Internet Connection With a Batch File

    How to Enable or Disable Memory Compression in Windows 10 & 11

    How to Create a “Guest Account” on Windows 10 & 11

    How to Add or Remove a Language in Windows 11

    How to Fix Richtx32.ocx Errors

    Published by Timothy Tibbetts on 06/17/2020

    When you sign out of Windows 10 and have multiple user accounts, you can click on any user name to log into that account. If an account is not password protected, anyone can log in. For security purposes, you can hide all the user accounts from being displayed, forcing a user to enter their account name and password.

    TIP : Hard to fix Windows Problems? Repair/Restore Missing Windows OS Files Damaged by Malware with a few clicks

    We have two ways you can hide the last signed-in user; Local Security Policy or the Registry Editor. Local Security Policy is only available in Windows 10 Pro and Enterprise, but you can enable it in Windows 10 Home.

    Video tutorial:

    Here’s a before, and after:

    Hide Last Signed in Users in Windows 10 With Local Security Policy (secpol.msc)

    Open Local Security Policy by pressing the Windows Key + R, type in secpol.msc, and press Enter.

    Expand Local Policies, and click on Security Options.

    Double-click on Interactive logon: Don’t display last signed-in.

    Select Enabled (default) or Disabled.

    Hide Last Signed in Users in Windows 10 With Registry Editor or Reg File

    Double-click Hide Last Signed in Users in Windows 10.reg or Show Last Signed in Users in Windows 10.reg (Default) to hide or show Last Signed in Users in Windows 10.

    Click Yes when prompted by User Account Control.
    Click Yes when prompted by Registry Editor.

    Click OK when prompted by the Registry Editor.

    This tweak is included as part of MajorGeeks Windows Tweaks.

    the registry file edits the Value data of dontdisplaylastusername located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

    How to see previous logon information on the windows sign in screen

    When you first set up a new PC with Windows 10, you create a user account which is set by default to log in automatically at startup. This likely isn’t a problem if you’re at home all the time, but if you have a laptop this becomes a serious security risk. Especially if you travel with your laptop.

    This automatic login means that anyone who finds your computer (or steals it!) only needs to start it up to have access to all your files. Because of this, companies that have information security policies typically mandate that you disable automatic login on your Windows 10 machine. (If you have an Apple computer, there are slightly different instructions for how to disable the automatic login for Mac OS.)

    How To Disable Automatic Login:

    1. Press Win+R, enter “netplwiz“, which will open the “User Accounts” window. Netplwiz is a Windows utility tool for managing user accounts.
    2. Check the option for “Users must enter a username and password to use this computer” and click Apply.
    3. That’s it. Restart your computer and the system will prompt you to enter your password at the login screen.

    Three easy steps to make your Windows 10 computer, and data, more secure!

    Why Small Steps are Important for Keeping Your Company Secure

    They might sound boring, but the information security policies and procedures at your company are incredibly important. Even on your personal computers at home, following these policies can help make sure your own information stays safe! Everyone should be aware about how to protect their own personal and financial information at home. You don’t want to be a target of identity theft. Or the source of a data breach at your company!

    In the case of your Windows 10 laptop is set to log in automatically — that’s what we InfoSec experts consider an endpoint. Every laptop or device that remotely connects to your corporate network or systems is called an “endpoint,” which means these devices are all a potential entry point for security threats. Security frameworks like SOC 2 even have specific controls designed to prevent unauthorized access to confidential information. Having information security policies and procedures that are compliant with standards, like SOC 2, reduces the likelihood that your endpoints could become compromised by bad actors. While that automatic login feature is convenient, it also makes your laptop more vulnerable.

    Ready for a Big Step? Get Cybersecurity Policies for Your Business

    If your company already has policies, make sure you’re familiar with the requirements and follow them. Go find them. You’ll want to stay up to date since companies change and update their policies. If you have a small business or startup — you will likely have to create your own security policies. (More on making your own cybersecurity policies from scratch below.)

    It doesn’t matter if you’re a salesperson, a marketer, or a developer with access to everything. You don’t have to work in IT. You’re a target. Unfortunately, too often small businesses are easy targets. Most cyber attackers don’t discriminate. They’ll hit with a broad stroke. In fact, they might target every employee with an @YourCompany.com email address. Or every device connected to your company wifi network.

    Cyber-attacks may target and steal your employee personnel records. Other times, the target is your company’s customer database full of private records, payment information, passwords, and internal data. However, your company may not be the true target, if you are a vendor for a global brand or Fortune 500 company.

    Conclusion

    If your laptop or another endpoint is compromised, that could give someone with nefarious intent access to other devices, databases, and critical systems within your company. Securing every possible entry point, through easy steps like disabling automatic logins, is key.

    Need to Make Your Business More Secure?

    Since you’re worried about the security of your computer you should put together a security program that builds a solid security foundation for your organization.

    Check out our Security Playbook to learn how you can bolster your overall security position. It provides tips and answers to common questions about implementing an information security program.

    We have been tasked with a security requirement to display the last time a user was logged into the server upon login on our Windows 2003 and 2008 servers. This would apply to local and AD accounts. What is the best way to accomplish this? There doesn’t appear to be any built in mechanism to do this and the best idea that we have found was the possibility of using a script with BgInfo.

    4 Answers 4

    A workaround that would work on both Server 2003 and 2008 would be to use BGInfo from sysinternal with the getCurrentUserLastLoginTime.vbs script from slingfive.com. You’ll probably want to make sure you protect the script and the bginfo executable to make sure nobody plays tricks with your last login information.

    For Windows Server 2008: this article explains how to enable this feature.

    This feature is only available after the Domain Functional Level has been increased to Windows Server 2008. That means that only W2K8 DCs exist in the AD domain and no WNT4, no W2K or W2K3 DCs. Even after increasing the DFL the feature is not available right away.

    Change this Group Policy setting if you want to write the information into the directory at logon:

    Warning: For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level.