six demon bag

Wind, fire, all that kind of thing!


Check the Last User Logon

As a system administrator you're sometimes tasked with finding out who the last person logged into a particular computer was, or when a particular person was last logged in on some computer(s).

Windows records this information in the Security eventlog when you enable auditing account logon events.

Enable logon event auditing

The event IDs to look for are 528 (Windows XP and earlier) and 4624 (Windows Vista and newer) with the logon types 2 (Interactive) for console logons and 10 (RemoteInteractive) for Remote Desktop logons.

With PowerShell the last n successful logons can be extracted from a computer's eventlog like this:

$n = 10

Get-EventLog Security -InstanceId 528,4624 -EntryType SuccessAudit `
  | ? { $_.Message -match 'logon type:\s+(2|10)\s' } `
  | sort TimeGenerated -Desc `
  | select -First $n TimeGenerated,
    @{n='User';e={$_.Message -replace '^[\s\S]*account name:\s+(\S*)[\s\S]*$','$1'}},

The last logons of a given user on a number of computers can be determined like this:

$user = [regex]::Escape('jdoe')
$comp = 'HostA', 'HostB', 'HostC'

Get-EventLog Security -Computer $comp -InstanceId 528,4624 -EntryType SuccessAudit | ? {
  $_.Message -match "account name:\s+$user\s" -and
  $_.Message -match 'logon type:\s+(2|10)\s'
} | group MachineName | % {
  $_.Group | sort TimeGenerated -Desc `
    | select -First 1 MachineName, TimeGenerated, @{n='LogonType';e={$matches[1]}}

In principle one could use a single regular expression to match both account name and logon type. However, the events 528 and 4624 don't have the same message layout. The former puts the account name before the logon type whereas the latter puts it after the logon type. Hence the use of two regular expressions.

Posted 16:03 [permalink]