Is there a way to find a user's last logon as well as the computer the user logged on to with powershell?

Thanks in advance.

oh my gosh, if powershell could do this I would be so excited. This comes up at least once a month and I have no idea how to help people and we end up making a new account for them because we can't track down what server or computer or service or whatever is using their account and constantly locking it out.

I imagine it would have to query every single server and computer in our domain to find out where in the world this guy is still logged in at.

cool, Thanks for the response. At least I know I am not the only one!

I'm trying to find an answer to this right now, but one thought (my old company used this) is to include sometihng in a logon script, tied to their AD account that writes the PC/Server name and Date/time into a log file, stored on their Home Drive (or some other central location that ALL users have access to).

I know terminal service sessions are hard to query 'cleanly' using any native WMI queries.... but here's something that may get you started:

query user /server:COMPUTERNAME | where {$_ -match "USERID"}

This is not native powershell, but it at least returns the list of sessions on a machine and by doing the where clause making sure each line returned contains part of the USERID.

You could then do a foreach swapping out the COMPUTERNAME with each machine you wanted to check and then if the results come back with any data, write the computer name out.

Not the best way, but its a quick way.

@bluehat

Scripting aside,  have you tried other methods of determining why a user is locked out?   We have this happen sometimes where I work (6000 users) and as long as I (or my team) are alerted to it within 12 hours,  we're able to run the 'lockoutstatus' tool,  enter the users ID, domain, and it'll tell you on which domain controller(s) the last bad password attempts occurred.    Look for the most recent entry and then go to that Domain Controller,  look in its 'Security' Event log at that EXACT Time noted in lockoutstatus,  down to the second.  You will find some failure events.    Usually these failure events mention an IP Address of the offending workstation.   Sometimes,  the IP address will be that of another Domain Controller....  so go look on THAT domain controller's security log at the same time and see the corresponding failure event.

I agree scripting would be beneficial, just thought i'd at least give an answer to  your statement about creating a new account for a user instead of finding the issue.  :)

Check into 'lockoutstatus'.  I think its part of the support tools, or maybe the resource kit for 2003.   I can't recall which right now.

I just posted a powershell script into the script vault that helps with this problem. I'm still a little new to powershell so it's not polished, but works. We were having the same problem, user get locked out every day with no idea as to why. The script will use a WMI call to make a backup of the security log on whatever domain controller you point it at. It then pulls the log local (for speed) and parses two ways looking for specific events. If any of these events are found, they are written into an output file in your c:\temp directory. Run it against each domain controller in your domain and review the output after each run. Since writing the script, I've been able to solve the mystery for every user that calls. Again, sorry that the script is a little rough around the edges, but I haven't had time to make it "pretty" yet. It's named Get-LockoutInfo in the scripts section.