0

How do I go about finding out which server was logged into last using a specific user account on the domain?

oshirowanen
  • 292
  • 4
  • 13

1 Answers1

3

You can look at the Event Viewer, if you want to check manually. Under Windows Logs > Security you can see both successful and failed logins and you can see logouts. See the Task Category column in the screen capture. EventViewer.

You could write some PowerShell code or .NET / WMI code to pull relevant "most recent" items across multiple servers if you have WinRM enabled and you're authorized.

UPDATE: This is some Powershell script to get the successful logins in the last 30 minutes. I am filtering by time and by InstanceId which is the id associated with different classes of events. On my server, 4624 represents Logon Task Category, but you should validate that on your own server and tweak the code as needed.

Get-EventLog -LogName Security -EntryType SuccessAudit -InstanceId 4624 -After (([System.DateTime]::Now).AddMinutes(-30))
Glenn Ferrie
  • 181
  • 1
  • 7
  • you don't even need winrm, just event viewer permissions on the other servers, simplest is to set up a subscription – Jim B May 13 '16 at 13:45
  • Agreed but if you're reaching across server to discover information you may want to take some action as a result -- which may require remote management. i usually just set it up, but definitely not a MUST. – Glenn Ferrie May 13 '16 at 13:47
  • I'm not saying it's a bad idea, but if you're just auditing it's not required, and very simply to do without a line of code with the event collector, drop the resulting export into excel and analyze away. One of the OP comments was what is the built in tool for this- that's what I'm suggesting you consider putting in your answer- powershell is most certainly not the best solution in this case. – Jim B May 13 '16 at 13:53