Need to know? Checking the last logon username and time

You may find it necessary to check as to who logged on to a Windows client computer and Windows production servers. First thing to understand is that Microsoft does not provide a PowerShell cmdlet that you can use to query the last logged on username information. Let’s say you would like to check who the last logon username for 100 Windows client machines and the time they logged on. Since Windows utilizes an Event Log database to store information, you can easily find logged-on username information by querying the Event Viewer. But you may need to know more.

Why check the last logon username?

Why would you need to know last logon username? Here are a few reasons:

  • To ensure genuine users are logging into your network.
  • To ensure the logged on user appears in an OU specified by you.
  • To ensure only authentic users are logging onto the production servers.

Checking who logged on information manually

Since Windows stores information about last logged on username information in the Event Viewer, you can navigate through the Security Log of a computer and then search for Event ID 4672. The first Event ID that you find contains the information about the person who logged onto the machine. As part of the manual process, it might take a considerable amount of time. For example, if you need to check Event ID 4672 on 100 computers, you will have to connect to each Windows computer manually using the Event Viewer and then find the information you are looking for. PowerShell offers greater flexibility when it comes to automating a task. You can use PowerShell commands explained in the next section of this article to check the last logged on username.

Checking who logged on information using PowerShell

Microsoft provides the necessary PowerShell cmdlets to access Event Viewer information. Please note Microsoft doesn’t provide a straightforward PowerShell cmdlet that can be used to say, “Hey, who logged on to X machine.” But we can use the Get-WinEvent PowerShell cmdlet to query Event Logs as shown in the commands below:

To check for a single machine, run below PowerShell this command:

$TargetName = “WindowsOS1”
$RC = Get-WinEvent -Computer $TargetName -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated

By running the PowerShell script above, you are checking the last logged on username and time on “WindowsOS1” windows machine. In case you need to retrieve last logged on username and time from multiple Windows computers, you may want to design a small PowerShell script and also a few statements within the PowerShell script to store the output in a CSV file. The next few sections provide that PowerShell script.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following functions:

  • It collects the computer names to be checked from AllTargets.DPC file. This file contains the list of computers that will be checked by the script.
  • the Script connects to the Event Viewer on each Windows machine and then collects security ID 4672. Once collected, the information such as last logon username and time the event generated is retrieved.

The PowerShell script

Executing the PowerShell script below will generate a report in CSV format. The script can be executed from Windows 8 and newer Windows operating systems. However, before you run the script, please ensure you create a file under called C:\Temp\AllTargets.DPC file that contains the list of computer names to be checked by the script.

$TargetReportFile = "C:\Temp\LoggedOnReport.CSV"
$ThisString="Target, Status, Username, Logon Time"
Add-Content "$TargetReportFile" $ThisString
$AllTargetsCSV = Import-CSV "C:\Temp\AllTargets.DPC"
$TotTargets = $AllTargetsCSV.Count
$n = 0
foreach ($ItemName in $AllTargetsCSV)
$TargetNameNow = $ItemName.TargetName
$RC = Get-WinEvent -Computer $TargetNameNow -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated
$ValueA = $TargetNameNow
$ValueB = $RC.User
$ValueC = $RC.TimeCreated
$STRNow = $ValueA + ",Ok," + $ValueB + "," + ‘"‘ + $ValueC + ‘"‘
Add-Content $TargetReportFile $STRNow
Write-Host "Script was finished executing successfully!"

Once the above PowerShell script has finished executing, you can see a report under “C:\Temp\LastLogonReport.CSV” that contains the name of the computer, last logon username, and time the event was generated. This is also shown in the screenshot below:

As you can see in the above output, the script checked five computers and last logged on username was reported along with the time.

The above script was retrieved from User Logon Reporter tool. The User Logon Reporter tool is designed to check last logged on username, time when the user logged on to a Windows machine, and also generate a report in CSV format. The User Logon Reporter supports retrieving computer accounts from multiple sources such as from a CSV file, Active Directory domain organizational units and so on. User Logon Reporter can check the status of a computer before executing the Get-WinEvent PowerShell command and it also supports scheduling the activity and have the report emailed to you as shown in the screenshot below.

Apart from scheduling, Ossisto 365 Logon Reporter tool also supports executing the task under an alternate credential.

Featured image: Shutterstock

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma
Tags Powershell

Recent Posts

Amazon Fraud Detector generally available

Online payment frauds are a threat to any company doing business on the Web. Amazon…

52 mins ago

Identity and access management sector buzzes with new funding, partnerships, solutions

Because no organization wants to end up in the headlines for a data breach, there…

4 hours ago

Remove virtual machines and virtual hard disks completely with PowerShell

Deleting virtual machines is easy, but if you don’t also remove virtual hard disks, you…

23 hours ago

Secure your WordPress website: Simple steps to stay safe

Many small businesses use WordPress to build their website. And while WordPress has many options…

1 day ago

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

4 days ago

Why SMBs need a standalone solution for Windows 10 patch management

Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…

4 days ago