none
Powershell script to find which user last logged on to a computer RRS feed

  • Question

  • Is there any way using some combination of Get-ADUser and Get-ADComputer to figure out the user who last logged on to a particular computer? I can use 

    Get-ADComputer -identity TARGETPC -Properties * | FT Name, LastLogonDate,IPv4Address, lastlogoff -Autosize

    To get

    Name     LastLogonDate        IPv4Address    lastlogoff
    ----     -------------        -----------    ----------
    TARGETPC 8/8/2016 10:54:13 PM 192.168.1.15          0

    And I can use 

    Get-ADUser -filter { (LastLogonDate -ge "8/15/2016") -and (LastLogonDate -le "8/17/2016")} -properties * | FT Name, LastLogonDate
    

    to get anyone who has logged on from 8/14 to 8/16 (not exactly the result I was expecting, but that's a different issue).

    The ideal situation would be for me to be able to write something like

    "Hey, Powershell...who's the last person to log in to this machine? And if you can't tell me that, at least give me a list of people who logged in around this specific time."

    Wednesday, August 17, 2016 6:55 PM

Answers

  • Here's a short example that you might be able to use:


    #requires -version 2
    
    param(
      [String[]] $ComputerName = "."
    )
    
    foreach ( $name in $ComputerName ) {
      $params = @{
        "Class" = "Win32_UserProfile"
        "ComputerName" = $name
        "Filter" = "Special=False"
      }
      Get-WmiObject @params | ForEach-Object {
        $userAccount = [WMI] ("\\$name\root\cimv2:Win32_SID.SID='{0}'" -f $_.SID)
        $userName = "{0}\{1}" -f $userAccount.ReferencedDomainName,$userAccount.AccountName
        New-Object PSObject -Property @{
          "Name" = $userName
          "LastUseTime" = [Management.ManagementDateTimeConverter]::ToDateTime($_.LastUseTime)
          "Loaded" = $_.Loaded
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]

    Wednesday, August 17, 2016 7:08 PM
    Moderator

All replies

  • Active Directory has no information about which users logon to which computers. Those cmdlets cannot help.

    Edit: Perhaps this script will help:

    https://gallery.technet.microsoft.com/Retrieve-the-LastUseTime-dbd2999b


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, August 17, 2016 6:58 PM
    Moderator
  • Is there any way to pipe the date/time from Get-ADComputer to the LastLogonDate property of Get-ADUser as a filter?
    Wednesday, August 17, 2016 7:01 PM
  • Here's a short example that you might be able to use:


    #requires -version 2
    
    param(
      [String[]] $ComputerName = "."
    )
    
    foreach ( $name in $ComputerName ) {
      $params = @{
        "Class" = "Win32_UserProfile"
        "ComputerName" = $name
        "Filter" = "Special=False"
      }
      Get-WmiObject @params | ForEach-Object {
        $userAccount = [WMI] ("\\$name\root\cimv2:Win32_SID.SID='{0}'" -f $_.SID)
        $userName = "{0}\{1}" -f $userAccount.ReferencedDomainName,$userAccount.AccountName
        New-Object PSObject -Property @{
          "Name" = $userName
          "LastUseTime" = [Management.ManagementDateTimeConverter]::ToDateTime($_.LastUseTime)
          "Loaded" = $_.Loaded
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]

    Wednesday, August 17, 2016 7:08 PM
    Moderator
  • The Win32_UserProfile class is your best bet. The last user to logon to a computer could be many hours after the computer last authenticated (when it last started up).

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, August 17, 2016 7:12 PM
    Moderator
  • i have no script to provide, but if i were you i'd probably go with the get-winevent road, with an xml filter.

    Thursday, August 18, 2016 3:04 PM