How to find the last user logged onto a computer in Active Directory?

I was wondering if there was a way in Active Directory to query a Computer object to find the last user who logged on.

Poor asset tracking has left me with a couple of un-locatable machines and I would like to know who used them last.

Thanks

Edit: Just to clarify, I can't find the machines physically and it doesn't look like its been powered on for a while, that's why I want to know who had them last so I can query them.


Solution 1:

I've had a few "where the hell is that" moments in my time. My usual way to tackle is as follows.

The first thing I do is browse the C: drive (\\LOSTCMPUTER\C$) and look at the local profiles to see if I can hopefully determine at least what department it resides in. Then poke around in the profile directories to try and find files recently changed and contact the user if anything looks promising. If not, wander around the department and tie up all computers you think are there and what is actually there.

Failing that, in the global logon script, put something like this.

if($ThisComputerName == 'LOSTCOMPUTER')
{
    WriteFile("\\SERVER\WRITEABLESHARE", "$Username logged onto LOSTCOMPUTER");
}

Other things to try might be to disable the computer object and when someone phones asking why they can't log on to the computer, note where it is and re-enable the account.

Solution 2:

I don't know how to tell which user on which computer but I can tell you how to know when the computer last touched your network. In ADUnC, make sure Advanced is selected from under view menu. On the AD computer object you can goto attribute editor tab (in modern versions of AD tools) and look for lastLogonTimeStamp which will tell you when the computer last booted or logged into the network (every computer on the Domain actually logs in with their own secret password). It's accurate to within 5 days.

Also some info that may help for the future Get a list of who logged in to each server

new Server 2008 R2 features for account auditing and logon events http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx

free MS tracking tool for next time "limitlogin" http://technet.microsoft.com/en-us/magazine/2005.05.utilityspotlight.aspx

Solution 3:

Don't think you can get such information from AD. You can try to check "C:\Documents and Settings" and see the last modified folder.

Solution 4:

I have also found this information in our Anti-Virus software console that has machine names and users last login.