Need to know? Checking the last logon username and time

You may find it necessary to check as to who logged on to a Windows client computer and Windows production servers. First thing to understand is that Microsoft does not provide a PowerShell cmdlet that you can use to query the last logged on username information. Let’s say you would like to check who the last logon username for 100 Windows client machines and the time they logged on. Since Windows utilizes an Event Log database to store information, you can easily find logged-on username information by querying the Event Viewer. But you may need to know more.

Why check the last logon username?

Why would you need to know last logon username? Here are a few reasons:

• To ensure genuine users are logging into your network.
• To ensure the logged on user appears in an OU specified by you.
• To ensure only authentic users are logging onto the production servers.

Checking who logged on information manually

Since Windows stores information about last logged on username information in the Event Viewer, you can navigate through the Security Log of a computer and then search for Event ID 4672. The first Event ID that you find contains the information about the person who logged onto the machine. As part of the manual process, it might take a considerable amount of time. For example, if you need to check Event ID 4672 on 100 computers, you will have to connect to each Windows computer manually using the Event Viewer and then find the information you are looking for. PowerShell offers greater flexibility when it comes to automating a task. You can use PowerShell commands explained in the next section of this article to check the last logged on username.

Checking who logged on information using PowerShell

Microsoft provides the necessary PowerShell cmdlets to access Event Viewer information. Please note Microsoft doesn’t provide a straightforward PowerShell cmdlet that can be used to say, “Hey, who logged on to X machine.” But we can use the Get-WinEvent PowerShell cmdlet to query Event Logs as shown in the commands below:

To check for a single machine, run below PowerShell this command:

$TargetName = “WindowsOS1”
$RC = Get-WinEvent -Computer $TargetName -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated
$RC.Username
$RC.TimeCreated

By running the PowerShell script above, you are checking the last logged on username and time on “WindowsOS1” windows machine. In case you need to retrieve last logged on username and time from multiple Windows computers, you may want to design a small PowerShell script and also a few statements within the PowerShell script to store the output in a CSV file. The next few sections provide that PowerShell script.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following functions:

• It collects the computer names to be checked from AllTargets.DPC file. This file contains the list of computers that will be checked by the script.
• the Script connects to the Event Viewer on each Windows machine and then collects security ID 4672. Once collected, the information such as last logon username and time the event generated is retrieved.

The PowerShell script

Executing the PowerShell script below will generate a report in CSV format. The script can be executed from Windows 8 and newer Windows operating systems. However, before you run the script, please ensure you create a file under called C:\Temp\AllTargets.DPC file that contains the list of computer names to be checked by the script.

$TargetReportFile = "C:\Temp\LoggedOnReport.CSV"
$ThisString="Target, Status, Username, Logon Time"
Add-Content "$TargetReportFile" $ThisString
$AllTargetsCSV = Import-CSV "C:\Temp\AllTargets.DPC"
$TotTargets = $AllTargetsCSV.Count
$n = 0
foreach ($ItemName in $AllTargetsCSV)
{
$TargetNameNow = $ItemName.TargetName
$RC = Get-WinEvent -Computer $TargetNameNow -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated
$ValueA = $TargetNameNow
$ValueB = $RC.User
$ValueC = $RC.TimeCreated
$STRNow = $ValueA + ",Ok," + $ValueB + "," + ‘"‘ + $ValueC + ‘"‘
Add-Content $TargetReportFile $STRNow
}
Write-Host "Script was finished executing successfully!"

Once the above PowerShell script has finished executing, you can see a report under “C:\Temp\LastLogonReport.CSV” that contains the name of the computer, last logon username, and time the event was generated. This is also shown in the screenshot below:

As you can see in the above output, the script checked five computers and last logged on username was reported along with the time.

The above script was retrieved from User Logon Reporter tool. The User Logon Reporter tool is designed to check last logged on username, time when the user logged on to a Windows machine, and also generate a report in CSV format. The User Logon Reporter supports retrieving computer accounts from multiple sources such as from a CSV file, Active Directory domain organizational units and so on. User Logon Reporter can check the status of a computer before executing the Get-WinEvent PowerShell command and it also supports scheduling the activity and have the report emailed to you as shown in the screenshot below.

Apart from scheduling, Ossisto 365 Logon Reporter tool also supports executing the task under an alternate credential.

Featured image: Shutterstock