Computer Name

is there a way to find the computer a user logged onto last?
I have the user AD user name, want to know the computer name last logged into?

I searched powershell, I see options for knowing the last AD user logged onto a computer, but I need the computer name the AD user logged into...
Benny JacksonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
$Samaccountname = USername here
Computers = Get-content c:\temp\listofcomputers.txt
foreach($computer in $computers){
    $tempPath1 = "\\" + $computer + "\c$\Users\" + $samAccountName + "\"
    $tempPath2 = "\\" + $computer + "\c$\Users\" + $samAccountName + "." + $domainNetBios + "\"
    if((Test-Path $tempPath1) -or (Test-Path $tempPath2)){
        Write-Output $computer
    }
}

Open in new window


That'll pull the profile from each machine and tell you who has logged onto it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Unless the profile is mapped to something other that USERNAME or USERNAME.DOMAIN (such as the case with a domain migration)

I would enable auditing and interrogate the DCs for this information. See the enable auditing section in this article
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html

You can use Powershell to enumerate through all the DCs

Here is an example of such a script
<# 
.SYNOPSIS 
Script that will list the logon information of AD users. 
 
.DESCRIPTION 
This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request 
Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer  
Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are  
used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for  
TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script. 
You can Define the following parameters to suite your need:                                                                                     
-MaxEvent        Specify the number of all (4768) events to search for TGT Requests. Default is 1000.                                             
-LastLogonOnly    Display only the history of last logon users.                                                                                 
-OuOnly            Do not display the full path of users/computers. Only OU is displayed.                                                         
Author: phyoepaing3.142@gmail.com                                                                                                             
Country: Myanmar(Burma)                                                                                                                         
Released Date: 08/29/2016 
 
Example usage:                                                                                       
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly 
 
.EXAMPLE 
.\Get_AD_Users_Logon_History.ps1 | Format-Table * -Auto 
This command will retrieve AD users logon within default 1000 EventID-4768 events and display the results as table. 
 
.EXAMPLE 
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 500 -LastLogonOnly -OuOnly 
This command will retrieve AD users logon within 500 EventID-4768 events and show only the last logged users with their 
related logged on computers. Only OU name is displayed in results. 
 
.EXAMPLE 
.\Get_AD_Users_Logon_History.ps1 | Export-Csv Users_Loggedon_History.csv 
This command will retrieve AD users logon within default 1000 EventID-4768 events and export the result to CSV file. 
 
.PARAMETER MaxEvent 
This paraemeter will specify the number of EventID-4768 events to look for. 
 
.PARAMETER LastLogonOnly 
This paraemeter will display the history of last logged on users in descending order. 
 
.PARAMETER OuOnly 
This paraemeter will show only the OU names for users/computers but not the full path. 
 
.LINK 
You can find this script and more at: https://www.sysadminplus.blogspot.com/ 
#> 
 
param( [switch]$LastLogonOnly,[switch]$OuOnly,[int]$MaxEvent=1000) 
############## Find EventID 4768 with user's requesting Kerberos TGT, skipping Exchange Health Mailbox request and extracting  Users/Client names,IP Addresses #### 
$Domain = (Get-WmiObject Win32_Computersystem).domain 
$read_log={ 
Param ($MaxEvent,$OuOnly,$Domain)                                                                                    ## Define parameter to pass maxevent to scripblock 
$EventInfo=Get-WinEvent -FilterHashTable @{LogName="Security";ID=4768} -MaxEvents 200000  | select -first $MaxEvent | where {$_.Message -notmatch "SM_" } | where { $_.Message -notmatch "\$" } |  
 select @{N="Authenticated DC";Exp={$_.MachineName}},  
 @{N="LoggedOn Time";Exp={$_.TimeCreated}},  
 @{N="User"; Exp={ $SplitAccountName=(($_.Message -Split "\n") -match "Account Name") -split ':';$SplitAccountName[$SplitAccountName.Length-1].Trim() }},  
 @{N="User Location";Exp={}}, @{N="Workstation";Exp={}},  
 @{N="IP Address"; Exp={if((($_.Message -split "\n") -match "Client Address:").Trim() -match "::1" ) {"localhost"}  
 else { $SplitClientAddress=(($_.Message -Split "\n") -match "Client Address") -split ':'; $splitClientAddress[$splitClientAddress.Length-1].Trim() }}},  
 @{N="Computer Location";Exp={}} 
 
$EventInfo | foreach { 
$IPAddress=$_."Client Address" 
 
if ($_."IP Address" -eq "localhost") 
{ $Client_Name=[system.net.dns]::GetHostbyName($env:computername).hostname } 
else 
{  
###### Resolve the PTR record to find AD computer information ################ 
        #$Client_Name=(Resolve-DnsName $_."IP Address").NameHost 
        if ((Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly -ErrorAction "SilentlyContinue").Type -eq "PTR") 
        {  
        $Client_Name = (Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly).NameHost   
         
        } 
        else 
        { $Client_Name = "NOT FOUND" } 
 
} 
## $_."Authenticated DC"=($_."Authenticated DC" -split "."+$Domain)[0]  ##Uncomment this line if you want to strip off domain name in "Authenticated DC" list 
$user=$_.user 
############# Find the User account in AD and if not found, throw and exception ########### 
$Full_User_Property=0 
    Try                                                                                                    ## Need Try statement to test and surpress error 
    { 
    $Full_User_Property = (Get-AdUser $_.user -Properties *) 
    $_."User Location" = $Full_User_Property.CanonicalName.TrimStart($Domain).SubString(1) 
    } 
    catch 
        { }                                                                                             ## The $_."User Location" is not passed to catch statement thus needing another below statement to set value" 
If (!$Full_User_Property) 
    { $_."User Location"="NOT FOUND"  } 
$Full_User_Property=0 
 
If($OuOnly -AND ($_."User Location" -ne "NOT FOUND")) 
{ 
$_."User Location"= $_."User Location".Remove($_."User Location".LastIndexOf("/"))                        ##Trim the last user name part if -OuOnly flag is set 
} 
 
$_."Workstation"=($Client_Name -split "."+$Domain)[0]                                                    ## remove the domain suffix 
########## Find the Computer account in AD and if not found, throw an exception ########### 
$Full_Workstation_Property = 0 
    Try 
        { 
        $Full_Workstation_Property = Get-AdComputer $_."Workstation" -Properties * 
        $_."Computer Location"= $Full_Workstation_Property.CanonicalName.TrimStart($Domain).SubString(1) 
        } 
    catch 
        { } 
########## Here the catch exception does not work in Invoke session so we need to manually set the "NOT FOUND" value ###### 
If (!$Full_Workstation_Property) 
    { $_."Computer Location" = "NOT FOUND"} 
$Full_Workstation_Property=0 
 
If ($OuOnly -AND ($_."Computer Location" -ne "NOT FOUND"))                                                                                            ##Trim the last computer part if -OuOnly flag is set 
    { 
        $_."Computer Location"=$_."Computer Location".Remove($_."Computer Location".LastIndexOf("/")) 
    } 
Return $_ 
} 
} 
 
########### Job starts to query replica domain controllers ############# 
$result=@() 
$RemoteJob=@()                                                                                          ## Make array of remote jobs 
 
$DomainControllers = (Get-ADDomainController -Filter  { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $false}).Name 
############### Start the Local Job and Remote Job to find the event id ################ 
$LocalJobExists=0 
If ($DomainControllers -contains $(hostname))                                                            ## Check if the computer running the script is Domain Controller itself 
{ 
$LocalJob = Start-Job -scriptblock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain;$LocalJobExists=1    ## If so, start job to query local domain controller 
} 
 
$DomainControllers | where {$_ -ne $(hostname)} | foreach {                                                ## Start remote jobs on each other domain controllers 
    $RemoteJob+= Invoke-Command -ComputerName $_ -ScriptBlock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain -AsJob   
    } 
 
If ($LocalJobExists) 
    { 
    $result = $LocalJob | Wait-Job | Receive-Job; Remove-Job $LocalJob                                    ## If the computer running the script is not a domain controller(may be RSAT installed), then all jobs will be remote jobs 
    } 
 
$RemoteJob | foreach { $result+=$_ | Wait-Job | Receive-Job ; Remove-Job $_}                            ## Wait and Receive remote jobs on each remote DCs and add to Local job result 
 
If ($LastLogonOnly) 
    { 
        $result | Sort-Object "LoggedOn Time" -Descending | Group-Object User | foreach { $_ | Select -ExpandProperty Group | select * -First 1 -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName }   ## the Last LoggedOn time of Each User 
    } 
else 
    { 
        $result | Sort-Object "LoggedOn Time" -Descending | Select * -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName  ## Normal Results 
    } 

Open in new window


https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89
Edmond HawilaChief Operating Officer - Cyprus BranchCommented:
Check the event viewer on the DC under Windows Logs > Security.
Export the Security log in CSV by clicking the option on the right "Save All Events As..." - Make sure you select csv in the file type field.
Open that in Excel and search for that username.
You should be able to see the instances of when he logged in and from which device/ip the logon was initiated.

Let me know how that works.
Benny JacksonAuthor Commented:
all helpful information.
I finally found the machine name in the Druva back under the Admin console.
I like the different options provided.

Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.