How to get lost login date and time logs of a user in Domain/active directory for last 6 years?

You cannot do that until and unless you save the security events in the Event Viewer still you can use lastLogonTimestamp attribute to find out when was the user logged on last time http://msdn.microsoft.com/en-us/library/windows/desktop/ms676824(v=vs.85).aspx http://www.arabitpro.com

Have you backed up the logs, If not then unfortunately its not possible. Events older than certain days depending on your policy settings are overwritten to prevent the log from exceeding the maximum file size. The setting Event Log Options is configured either via GPO or locally on machines. The Log options allow you to control the size of the event logs as well as how logging is handled. Event Log policy settings can be configured in the following location in Group Policy Object Editor: GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\ Ref. links- http://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx http://technet.microsoft.com/en-us/library/bb726966.aspx Sachin Gadhave (MCP, MCTS)

Hi Borh, Thanks alot for your quick answers. In my environment DCs are configured to store 128 MB security logs maximum. then is it possible to find all last log on stamps for a end user for few days?. (Lets say x user daily basis login on to a laptop from last one month, will those logons stored in to DC?

You can find out last log on details of a end user for few days however, that again depends on number users present in Active directory. In a large enterprise with thousands users in AD, security logs on DCs are overwritten very quickly. If logs are overwritten then you will have no option to filter out the security events for old log on stamps which are already lost. If you need to preserve the logs, then you might need to consider a third party application ( e.g. GFI event Manager) which can do that job for you or else you might want to consider Windows Event forwarding and Subscriptions. Quick and Dirty Large Scale Eventing for Windows http://blogs.technet.com/b/otto/archive/2008/07/08/quick-and-dirty-enterprise-eventing-for-windows.aspx Configure Computers to Forward and Collect Events http://technet.microsoft.com/en-us/library/cc748890.aspx Setting up a Source Initiated Subscription http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx Windows Event Collector http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx A UNIVERSE without WINDOWS is CHAOS ! This posting is provided "AS IS" with no warranties or guarantees and confers no rights. About Me ?

Hello, Since the events have not been deleted, you can find the information you want. For tracking logons, you can use the following script as a logon script using group policies: echo %username%; %computername%; %date%; %time% >> \\Server\Share\logons.csv Where: "Server" is a file server"Share" is a shared folder on this server So, like that, each time a user logon, an entry will be added to the "logons.csv" file. For tracking, open it using Excel and you will have the following columns: User NameComputer NameDate of logonTime of logon Note also that, if you want to get the last date / time a user logged on, you can use the following AD attributes which you will find in the properties of the user account: lastlogon: This attribute is not replicated and will contain the last time the user used a specific DC. If you will use it then check it on all DCs you havelastlogontimestamp: This attribute is replicated to DCs you have if your DFL is Windows Server 2003 or higher. This attribute may be deleted by 0-14 days. More here: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi Skoppula, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards KevinTechNet Community Support