Its a bit frustrating to find that by default Active Directory does not record the username of the last person who logged onto a computer.  As such if you need to know who is logging into computers, you have to be a bit creative.

How To Figure Out Who Is Using a Computer?

We will explain four ways to figure out who is using your computers and list them from easiest to most complex:

1 – THIRD PARTY TOOLS SHOW WHICH USER IS ON WHICH COMPUTER:

Antivius software (or Intune, or other management tools) will often tell who logged into a particular computer last and when they did so.

2 – ADD A LINE TO THEIR LOGON SCRIPT TO REPORT WHO IS LOGGING IN

You can easily add a line to the logon script so that writes a text file to the server:

echo %username% %computername% %date% %time% >> \\<Your-Server-Name>\<Share>\TheList.txt

Be sure to change the:

  • \\<Your-Server-Name>\ to the name of a server on your network
  • <Share> is a folder shared so everyone can write to it, perhaps with permissions like AUTHENTICATED USERS = FULL CONTROL

This will create a list of all the users as they sign in.

3 – MANUALLY BROWSE EACH COMPUTER TO SEE WHO LAST LOGGED IN

Use the usual Windows File Explorerer to connect to each machines C:\Users\, then sort by MODIFIED date to see who the most recent is

who logged in last active directory

4 – USE A POWERSHELL SCRIPT TO DETERMINE WHO LOGGED IN LAST

This is the same as #3 above but using a PowerShell Script:

Get-ChildItem "\\<Name-of-Computer>\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\<Your-Server-Name>\C$\temp\TheList.txt

Be sure to change:

  • <Name-of-Computer> to the name of a server on your network that everyone can write to and ensure the folder you choose has permissions like AUTHENTICATED USERS = FULL CONTROL
  • <Your-Server-Name> to the name of a server

If you want to run this as a script against many machines use this:

$ArrComputers = @("PC1", "PC2", "PC3", "PC4")

foreach ($Computer in $ArrComputers) {

Get-ChildItem "\\$Computer\c$\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -first 1 | out-file \\<Your-Server-Name>\share\$Computer.txt
}

Be sure to change:

  • the names of the computers from PC1, PC2… to whatever your computer names are
  • <Your-Server-Name> to the name of a server
  • <Share> is a folder shared so everyone can write to it, perhaps with permissions like AUTHENTICATED USERS = FULL CONTROL
5  – Group Policy To Audit Logon Events
  1. Edit an existing or create a new Group Policy Object
  2. Expand COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICY > AUDIT POLICY
  3. Double click on AUDIT ACCOUNT LOGON EVENTS
  4. Click on SUCCESS then click OK

active directory user logging events

Make sure this GPO is applied to the machines you care about.

  1. Launch Event Viewer and expand WINDOWS LOGS > SECURITY
  2. Filter by EVENT ID = 4624

 


 


1 Comment

jersey bola · January 15, 2023 at 9:41 pm

Ꭺppreciate the recommendation. It worked!

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *