Learn how to a build a cloud-first strategyRegister Now


How to find the last domain user to use a PC

Posted on 2012-09-07
Medium Priority
Last Modified: 2012-09-07
I have a laptop called "BB-07" with a smashed screen.
How do I find the last domain user to use that PC in active directory under server 2003?

I have of course used the event editor and looked at the "Security" tab which shows all activity for both users and PCs, BUT when I search for all references to "BB-07", none of them tell me which user was logged in on that laptop.

Is there another place where I can get this info?  Or do I need to install a free tool to log this info on the server?  Which free tool?
Question by:Alistair7
LVL 39

Accepted Solution

Krzysztof Pytko earned 1400 total points
ID: 38375873
There is no direct AD attribute storing that information. However, you can connect over network using administrator account into registry on that computer and you will find who is logged on (works only if you have not disabled show last logged on user in GPO)

Then you should check this registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and check DefaultUserName which is set up to the latest logged on user


Author Comment

ID: 38375953
Unfortunately I have logged in as administrator, so "DefaultUserName" now says administrator.

What about a free tool for logging this info on the server??
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38375964
I don't know any. There is also another tool to use to see who is logged on PsLoggedon

That's probably possible to use some VBScript or PowerShell to log that but for that you need to ask in these zones

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

Minoru7 earned 200 total points
ID: 38376001
If you're on a domain, then the domain controller (active directory server) should contain the logs of who logged onto the server in the security logs.  However, that's if you keep enough of the logs that it hasn't already been overwritten.  Keep in mind that if you have multiple DCs, then you will need to check each one.  It will only be logged on one of them.  It would be logged as event ID 528 on Windows 2003 and 4624 on Windows 2008 or 2008 R2.  If it's only a Workgroup-based PC, these same logs should exist on the local system.  Again, it depends on how large you let your logs get.
LVL 10

Assisted Solution

chubby_informer earned 200 total points
ID: 38376020
get a software called ADManager.  u wud be able to pull reports and get this info; however its not free but there is a trial available.  this software would also help in managing and keeping your AD clean

Author Comment

ID: 38376938
thanks for your efforts.

ADManager is expensive and, having looked at the product, I cannot see if it will do what I want.

Minoru7, in my original post I said that I had already looked at the security logs in the event viewer.  But all events referring to "BB-07" did not mention the logged in user.

There must be others like me who need to know the last few users logged into a computer.
And I would be very surprised if there was not a simple tool for that.
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 200 total points
ID: 38377496
From client machine: open the C:\users

sort folder (users profiles folders) by date modified, it will show the date for last modification on the profile (which is a local logon or remote logon).

Author Comment

ID: 38377929
I found an excellent solution on the internet.

Use group policy to run 2 batch file scripts, one on login and the other on logout.

Here they are:

echo %computername%,%date%,%time%,%username%,logon >> \\Server\PC_Log$\PC_Log.csv

echo %computername%,%date%,%time%,%username%,logoff >> \\Server\PC_Log$\PC_Log.csv

Both scripts save details to the same log file placed in a hidden shared folder.
Simply a matter then of opening the csv file under OpenOffice or Excel and sorting on the first 3 columns, namely "computername" "date" and "time".

Only 1 small wierd thing.  The time field also creates an additional two digit number which is then placed in its own column.  Like this:

Freds-PC   07.09.2012   21:47:08   47   Administrator   logon
Freds-PC   07.09.2012   21:48:04   92   Administrator   logoff

Thanks for your help.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question