Its a bit frustrating to find that by default Active Directory does not record the username of the last person who logged onto a computer. As such if you need to know who is logging into computers, you have to be a bit creative.
How To Figure Out Who Is Using a Computer?
We will explain four ways to figure out who is using your computers and list them from easiest to most complex:
1 – THIRD PARTY TOOLS SHOW WHICH USER IS ON WHICH COMPUTER:
Antivius software (or Intune, or other management tools) will often tell who logged into a particular computer last and when they did so.
2 – ADD A LINE TO THEIR LOGON SCRIPT TO REPORT WHO IS LOGGING IN
You can easily add a line to the logon script so that writes a text file to the server:
echo %username% %computername% %date% %time% >> \\<Your-Server-Name>\<Share>\TheList.txt
Be sure to change the:
\\<Your-Server-Name>\
to the name of a server on your network<Share>
is a folder shared so everyone can write to it, perhaps with permissions like AUTHENTICATED USERS = FULL CONTROL
This will create a list of all the users as they sign in.
3 – MANUALLY BROWSE EACH COMPUTER TO SEE WHO LAST LOGGED IN
Use the usual Windows File Explorerer to connect to each machines C:\Users\, then sort by MODIFIED date to see who the most recent is
4 – USE A POWERSHELL SCRIPT TO DETERMINE WHO LOGGED IN LAST
This is the same as #3 above but using a PowerShell Script:
Get-ChildItem "\\<Name-of-Computer>\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\
<Your-Server-Name>
\C$\temp\TheList.txt
Be sure to change:
<Name-of-Computer>
to the name of a server on your network that everyone can write to and ensure the folder you choose has permissions like AUTHENTICATED USERS = FULL CONTROL<Your-Server-Name>
to the name of a server
If you want to run this as a script against many machines use this:
$ArrComputers = @("PC1", "PC2", "PC3", "PC4")
foreach ($Computer in $ArrComputers) {
Get-ChildItem "\\$Computer\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\<Your-Server-Name>\share\$Computer.txt
}
Be sure to change:
- the names of the computers from PC1, PC2… to whatever your computer names are
<Your-Server-Name>
to the name of a server<Share>
is a folder shared so everyone can write to it, perhaps with permissions like AUTHENTICATED USERS = FULL CONTROL
5 – Group Policy To Audit Logon Events
- Edit an existing or create a new Group Policy Object
- Expand COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICY > AUDIT POLICY
- Double click on AUDIT ACCOUNT LOGON EVENTS
- Click on SUCCESS then click OK
Make sure this GPO is applied to the machines you care about.
- Launch Event Viewer and expand WINDOWS LOGS > SECURITY
- Filter by EVENT ID = 4624
1 Comment
jersey bola · January 15, 2023 at 9:41 pm
Ꭺppreciate the recommendation. It worked!