Best way to find the computer a user last logged on from?
Solution 1:
As part of our logon script I have that information (and more) logged into a hidden share on a server, with one log file per user. A logoff scripts adds the time the user logged off to the same log file. Easy to set up, no cost and the information is there in an easy to read format.
Solution 2:
We do this via logon script which updates the computer object's description in AD.
You need to perform a custom delegation of control to allow "Authenticated Users" to write the description property of computer objects in the domain/s.
Once that's done, all you need is a script that generates whatever information you want and writes the properties to the computer object. This script is then assigned as a login script via a Group Policy object linked to the domain.
We put a timestamp, username, IP(s) in the description field. The timestamp comes first because it makes it easy to quickly see "old" computer objects by sorting on the description field.
Here's the script I wrote for this if you want to use it as a starting point:
On Error Resume Next
Set objSysInfo = CreateObject("ADSystemInfo") 'Bind to AD
Set objNet = CreateObject("WScript.Network")
strCompDN = objSysInfo.ComputerName 'DN for computer, e.g. "CN=VISTAWORKSTATION,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objComp = GetObject("LDAP://" & strCompDN) 'IADsComputer object
strUserDN = objSysInfo.UserName 'DN for user, e.g. "CN=John Smith,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objUser = GetObject("LDAP://" & strUserDN) 'IADsUser object
strUsrLogin = LCase(objNet.UserName)
strNow = Now
strDateStamp = DatePart("yyyy",strNow) & _
Right("0" & DatePart("m",strNow), 2) & _
Right("0" & DatePart("d",strNow), 2) & _
"@" & _
Right("0" & DatePart("h",strNow), 2) & _
Right("0" & DatePart("n",strNow), 2)
'RegExp object used to perform a simple match on IP address
Set objRE = New RegExp
objRE.IgnoreCase = True
'Note this regexp pattern isn't "correct" for matching an IPv4 address properly, but since WMI will return an
'array of IP addresses, this is sufficient to distinguish IPv4 vs IPv6
objRE.Pattern = "^\d+\.\d+\.\d+\.\d+$"
strIP = ""
'Connect to WMI and retreive all network adapters
Set objWMI = GetObject("winmgmts:")
Set colNICs = objWMI.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration")
'Get the IP(s) assigned to whichever network adapter has our default gateway
If colNICs.Count > 0 Then
For Each objNIC in colNICs
If IsArray(objNIC.DefaultIPGateway) Then
arrIP = objNIC.IPAddress
For i = 0 To UBound(arrip)
If objRE.Test(arrIP(i)) Then strIP = strIP & " " & arrIP(i)
Next
strMAC = objNIC.MACAddress
End If
Next
End If
strIP = Trim(strIP)
objComp.Description = strDateStamp & " " & strUsrLogin & " " & strIP
objComp.Put "extensionAttribute1", strUsrLogin
objComp.Put "extensionAttribute2", strIP
objComp.Put "extensionAttribute3", strMAC
objComp.SetInfo
Solution 3:
You can enable auditing for account logon events. These events (including workstation unlock) will be stored in the DC's security log.
There are also third party tools that can make this easier, such as True Last Logon.
Solution 4:
I had to achieve the same result for similar reasons; somehow determine which machine a specific user logged in from. I wanted to know "before the fact", and couldn't change user login scripts as discussed above.
I used powershell on the DC that the user was authenticating against to parse the Security event log:
get-eventlog "Security" | where {$_.Message -like "*Username*" -AND "Source Network Address"} | export-csv C:\Temp\test.csv
Crack open the .csv with excel or your fav editor and look for the most recent entry that shows both the Account Name (Username) and the Source Network Address within the same event.
This might not be a 100% reliable solution (depending on DHCP lease times, etc.), but it worked for me.
Solution 5:
I just write the user name (as well as other info, like date and time, some program versions and so on) into the computer description using a logon script. That way I can pull all the info from AD Users & Computers quickly and easily, and as a bonus have a good way of identifying which PCs still in AD haven't been used in a while (and are therefore most likely dead machines).