Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
a user last logon Time

GUI: To look at the Last-Logon attribute on a single DC, you can use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. You need to enable the Advanced Features option from the View menu to show the Attribute Editor tab in the account properties. On this tab, you can scroll to the lastLogon attribute, as Figure 1 shows. (Note that lastLogon is the display name for the Last-Logon attribute.)

Powershell:

Get-ADUserLastLogon -UserName AD_logon_name
which computer does a user is logging in

First, to see what it looks like, I ran the following script in Windows PowerShell.

NET SESSION

This showed me all the open sessions on my file server where most of the users home drives were located. (Your environment may be different, so I recommend picking the machine with a file share that most of the users in your environment are likely to attach to.)

Then to quickly find the user, I piped the output as follows.

SELECT-STRING

(NET SESSION) | Select-String mr.trouble

  

Now to get fancy, I decided to see if I could pass this into the file server via a remote session to allow this to be run from any system.

$S=NEW-PSSESSION –computername MYFILESERVER

INVOKE-COMMAND –Session $s –scriptblock { (NET SESSION) | Select-String mr.trouble }

REMOVE-PSSESSION $S

Now at the very least, I could see a much shorter list and resolve those IP addresses to computer names as follows. Note that this function requires the Reverse Lookup function in your DNS server, you can follow this page to create it: https://technet.microsoft.com/en-us/library/cc753997(v=ws.11).aspx

nslookup x.x.x.x

But wait.  Don’t I want all of this as a single function?  Don’t I want to make my life easier?

I found a small problem in getting the variable to be received by the remote session, so yes…I cheated. I piped after.  I’ll probably look at this later and find the right answer vs. the “cheaters answer.”

function global:FIND-HSGUSER {

# Get name of File Server to Initialize Remoting 
# and the name of the silly user you need to find their computer for   

param($FILESERVER,$USERNAME)

# Connect Remotely to Server, Run Session, get a list of everybody logged in there 

    $S=NEW-PSSESSION –computername $FILESERVER 
    $Results=(INVOKE-COMMAND –Session $s –scriptblock { (NET SESSION) }) | Select-string $USERNAME 
    REMOVE-PSSESSION $S

# Let’s parse through the data and pull out what we need   

Foreach ( $Part in $RESULTS ) {

    $ComputerIP=$Part.Line.substring(2,21).trim() 
    $User=$Part.Line.substring(22,44).trim()

# Use nslookup to identify the computer, grab the line with the “Name:” field in it

    $Computername=(nslookup $ComputerIP | Where { $_ -like ‘Name:’})

    If ($Computername -eq $NULL) { $Computername=”Unknown”} 
    Else { $Computername=$Computername.substring(9).trim()}

    write-host 
# Show me where the silly fool is hiding

“$User is logged into $Computername with IP address $ComputerIP”

}

}

You can call the function by:

FIND-HSGUSER DC_name user_logonName
Refrence