Need to know? Checking the last logon username and time

You may find it necessary to check as to who logged on to a Windows client computer and Windows production servers. First thing to understand is that Microsoft does not provide a PowerShell cmdlet that you can use to query the last logged on username information. Let’s say you would like to check who the last logon username for 100 Windows client machines and the time they logged on. Since Windows utilizes an Event Log database to store information, you can easily find logged-on username information by querying the Event Viewer. But you may need to know more.

Why check the last logon username?

Why would you need to know last logon username? Here are a few reasons:

  • To ensure genuine users are logging into your network.
  • To ensure the logged on user appears in an OU specified by you.
  • To ensure only authentic users are logging onto the production servers.

Checking who logged on information manually

Since Windows stores information about last logged on username information in the Event Viewer, you can navigate through the Security Log of a computer and then search for Event ID 4672. The first Event ID that you find contains the information about the person who logged onto the machine. As part of the manual process, it might take a considerable amount of time. For example, if you need to check Event ID 4672 on 100 computers, you will have to connect to each Windows computer manually using the Event Viewer and then find the information you are looking for. PowerShell offers greater flexibility when it comes to automating a task. You can use PowerShell commands explained in the next section of this article to check the last logged on username.

Checking who logged on information using PowerShell

Microsoft provides the necessary PowerShell cmdlets to access Event Viewer information. Please note Microsoft doesn’t provide a straightforward PowerShell cmdlet that can be used to say, “Hey, who logged on to X machine.” But we can use the Get-WinEvent PowerShell cmdlet to query Event Logs as shown in the commands below:

To check for a single machine, run below PowerShell this command:

$TargetName = “WindowsOS1”
$RC = Get-WinEvent -Computer $TargetName -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated

By running the PowerShell script above, you are checking the last logged on username and time on “WindowsOS1” windows machine. In case you need to retrieve last logged on username and time from multiple Windows computers, you may want to design a small PowerShell script and also a few statements within the PowerShell script to store the output in a CSV file. The next few sections provide that PowerShell script.

What does this PowerShell script do?

The PowerShell script provided in this article performs the following functions:

  • It collects the computer names to be checked from AllTargets.DPC file. This file contains the list of computers that will be checked by the script.
  • the Script connects to the Event Viewer on each Windows machine and then collects security ID 4672. Once collected, the information such as last logon username and time the event generated is retrieved.

The PowerShell script

Executing the PowerShell script below will generate a report in CSV format. The script can be executed from Windows 8 and newer Windows operating systems. However, before you run the script, please ensure you create a file under called C:\Temp\AllTargets.DPC file that contains the list of computer names to be checked by the script.

$TargetReportFile = "C:\Temp\LoggedOnReport.CSV"
$ThisString="Target, Status, Username, Logon Time"
Add-Content "$TargetReportFile" $ThisString
$AllTargetsCSV = Import-CSV "C:\Temp\AllTargets.DPC"
$TotTargets = $AllTargetsCSV.Count
$n = 0
foreach ($ItemName in $AllTargetsCSV)
$TargetNameNow = $ItemName.TargetName
$RC = Get-WinEvent -Computer $TargetNameNow -FilterHashtable @{ Logname = ‘Security’; ID = 4672 } -MaxEvents 1 | Select @{ N = ‘User’; E = { $_.Properties[1].Value } }, TimeCreated
$ValueA = $TargetNameNow
$ValueB = $RC.User
$ValueC = $RC.TimeCreated
$STRNow = $ValueA + ",Ok," + $ValueB + "," + ‘"‘ + $ValueC + ‘"‘
Add-Content $TargetReportFile $STRNow
Write-Host "Script was finished executing successfully!"

Once the above PowerShell script has finished executing, you can see a report under “C:\Temp\LastLogonReport.CSV” that contains the name of the computer, last logon username, and time the event was generated. This is also shown in the screenshot below:

As you can see in the above output, the script checked five computers and last logged on username was reported along with the time.

The above script was retrieved from User Logon Reporter tool. The User Logon Reporter tool is designed to check last logged on username, time when the user logged on to a Windows machine, and also generate a report in CSV format. The User Logon Reporter supports retrieving computer accounts from multiple sources such as from a CSV file, Active Directory domain organizational units and so on. User Logon Reporter can check the status of a computer before executing the Get-WinEvent PowerShell command and it also supports scheduling the activity and have the report emailed to you as shown in the screenshot below.

Apart from scheduling, Ossisto 365 Logon Reporter tool also supports executing the task under an alternate credential.

Featured image: Shutterstock

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Published by
Nirmal Sharma
Tags Powershell

Recent Posts

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

2 hours ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

5 hours ago

An overview of PCI DSS and a guide to compliance

PCI DSS is the globally recognized security standard for any business that processes credit card payments. Are you in compliance…

22 hours ago

Quick tip: Runbook script to start and stop your Azure Firewall

In this blog post, we are going over a simple script that can be used as an Azure runbook to…

1 day ago

Private 5G networks: Everything you need to know

We are on the verge of the rollout of public 5G networks. And following close behind is the reality of…

1 day ago

On-premises backup for cloud data and cloud infrastructure protection

On-premises backup is a down-to-earth solution for backing up your cloud data – especially for those with a healthy paranoia…

2 days ago