Need to know? Checking the last logon username and time

You may find it necessary to check as to who logged on to a Windows client computer and Windows production servers. First thing to understand is that Microsoft does not provide a PowerShell cmdlet that you can use to query the last logged on username information. Let’s say you would like to check who the last logon username for 100 Windows client machines and the time they logged on. Since Windows utilizes an Event Log database to store information, you can easily find logged-on username information by querying the Event Viewer. But you may need to know more.

Why check the last logon username?

Why would you need to know last logon username? Here are a few reasons:

  • To ensure genuine users are logging into your network.
  • To ensure the logged on user appears in an OU specified by you.
  • To ensure only authentic users are logging onto the production servers.

Checking who logged on information manually

Since Windows stores information about last logged on username information in the Event Viewer, you can navigate through the Security Log of a computer and then search for Event ID 4672. The first Event ID that you find contains the information about the person who logged onto the machine. As part of the manual process, it might take a considerable amount of time. For example, if you need to check Event ID 4672 on 100 computers, you will have to connect to each Windows computer manually using the Event Viewer and then find the information you are looking for. PowerShell offers greater flexibility when it comes to automating a task. You can use PowerShell commands explained in the next section of this article to check the last logged on username.

Checking who logged on information using PowerShell

Microsoft provides the necessary PowerShell cmdlets to access Event Viewer information. Please note Microsoft doesn’t provide a straightforward PowerShell cmdlet that can be used to say, “Hey, who logged on to X machine.” But we can use the Get-WinEvent PowerShell cmdlet to query Event Logs as shown in the commands below:

To check for a single machine, run below PowerShell this command:

$TargetName = “WindowsOS1”
$RC = Get-WinEvent -Computer $TargetName -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated

By running the PowerShell script above, you are checking the last logged on username and time on “WindowsOS1” windows machine. In case you need to retrieve last logged on username and time from multiple Windows computers, you may want to design a small PowerShell script and also a few statements within the PowerShell script to store the output in a CSV file. The next few sections provide that PowerShell script.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following functions:

  • It collects the computer names to be checked from AllTargets.DPC file. This file contains the list of computers that will be checked by the script.
  • the Script connects to the Event Viewer on each Windows machine and then collects security ID 4672. Once collected, the information such as last logon username and time the event generated is retrieved.

The PowerShell script

Executing the PowerShell script below will generate a report in CSV format. The script can be executed from Windows 8 and newer Windows operating systems. However, before you run the script, please ensure you create a file under called C:\Temp\AllTargets.DPC file that contains the list of computer names to be checked by the script.

$TargetReportFile = "C:\Temp\LoggedOnReport.CSV"
$ThisString="Target, Status, Username, Logon Time"
Add-Content "$TargetReportFile" $ThisString
$AllTargetsCSV = Import-CSV "C:\Temp\AllTargets.DPC"
$TotTargets = $AllTargetsCSV.Count
$n = 0
foreach ($ItemName in $AllTargetsCSV)
$TargetNameNow = $ItemName.TargetName
$RC = Get-WinEvent -Computer $TargetNameNow -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated
$ValueA = $TargetNameNow
$ValueB = $RC.User
$ValueC = $RC.TimeCreated
$STRNow = $ValueA + ",Ok," + $ValueB + "," + ‘"‘ + $ValueC + ‘"‘
Add-Content $TargetReportFile $STRNow
Write-Host "Script was finished executing successfully!"

Once the above PowerShell script has finished executing, you can see a report under “C:\Temp\LastLogonReport.CSV” that contains the name of the computer, last logon username, and time the event was generated. This is also shown in the screenshot below:

As you can see in the above output, the script checked five computers and last logged on username was reported along with the time.

The above script was retrieved from User Logon Reporter tool. The User Logon Reporter tool is designed to check last logged on username, time when the user logged on to a Windows machine, and also generate a report in CSV format. The User Logon Reporter supports retrieving computer accounts from multiple sources such as from a CSV file, Active Directory domain organizational units and so on. User Logon Reporter can check the status of a computer before executing the Get-WinEvent PowerShell command and it also supports scheduling the activity and have the report emailed to you as shown in the screenshot below.

Apart from scheduling, Ossisto 365 Logon Reporter tool also supports executing the task under an alternate credential.

Featured image: Shutterstock

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma
Tags Powershell

Recent Posts

Contactless payments are hot, but are they secure?

The trend to contactless payments has accelerated as retailers and consumers adjust to COVID-19 realities.…

4 hours ago

Season’s fleecings: CISA warns on holiday shopping scams

The U.S. Department of Homeland Security is warning that online holiday shopping scams may be…

8 hours ago

Azure DNS: Using Azure DevOps to protect public DNS zones

This in-depth tutorial shows you how to use features available in Azure DevOps to boost…

11 hours ago

Report: Baidu Android apps had potential to expose data

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

1 day ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

1 day ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

4 days ago