Finding any Users logging in with local profiles RRS feed

  • Question

  • I've been playing with a couple ways to do this, and just haven't around anything I thought really did a very good job of it. Basically, we have a client and a number of users at this client log on with local profiles instead of their domain profiles, so various policy that's user base isn't applied, among other things. We aren't sure why people are doing this, and I'm tasked with identifying everyone who is doing it so we can follow up individually and make them stop.

    I've thought about pulling event logs to look for logons as local users, but there doesn't seem to be an easy cut and dry way to identify only local logons when pulling all the events with powershell.

    I've tried using WMI but I don't think I can pull the last logon time of each user.

    And I've tried pulling all the users from the registry in the registry, but I'm having a heck of a time finding a key with all the information I want, like name, last logon, etc.

    Ideally, I'd like to be able to run this against all domain computers, and pull a list of any computer with local accounts that have been logged in anytime recently, so we can then figure out who's machine that is, and talk to them about logging in as a local account. Not all computers are in the network every day, but something that runs periodically and slowly collects this information over a month or two is probably acceptable.

    Friday, May 19, 2017 10:57 PM

All replies