It sort of depends on what your trying to get. If you want to know who the last person to access a system. Then the event log is the place to be. However then you have to deal with remote access, runas and all that jazz. My gut tells me that you want to know the last person to physically logon. If that is the case, I would keep it simple. No matter what when any user logs on locally to a windows box they have to load a profile. The easiest way would be to check and see which profile was loaded last.
param ([string]$target=("localhost"),
[switch]$xp
)
if ($xp)
{
return Get-ChildItem -path "\\$target\C$\Documents and Settings" | Sort-Object LastWriteTime | Select-Object -first 1 name
}
else
{
return Get-ChildItem -path "\\$target\C$\Users" | Sort-Object LastWriteTime | Select-Object -first 1 name
} I know that this isn't the traditional way to approach this particular problem, but parsing logs is very inefficient, and I hate inefficient.
Hope that helps,
~Glenn