Best way to find the computer a user last logged on from?

I am hoping that somewhere in Active Directory the "last logged on from [computer]" is written/stored, or there is a log I can parse out?

The purpose of wanting to know the last PC logged on from is for offering remote support over the network - our users move around pretty infrequently, but I'd like to know that whatever I'm consulting was updating that morning (when they logged in, presumably) at minimum.

I'm also considering login scripts that write the user and computer names to a known location I can reference, but some of our users don't like to logout for 15 days at a time.

If there is an elegant solution that uses login scripts, definitely mention it - but if it happens to work for merely unlocking the station, that would be even better!


As part of our logon script I have that information (and more) logged into a hidden share on a server, with one log file per user. A logoff scripts adds the time the user logged off to the same log file. Easy to set up, no cost and the information is there in an easy to read format.


We do this via logon script which updates the computer object's description in AD.

You need to perform a custom delegation of control to allow "Authenticated Users" to write the description property of computer objects in the domain/s.

Once that's done, all you need is a script that generates whatever information you want and writes the properties to the computer object. This script is then assigned as a login script via a Group Policy object linked to the domain.

We put a timestamp, username, IP(s) in the description field. The timestamp comes first because it makes it easy to quickly see "old" computer objects by sorting on the description field.

Here's the script I wrote for this if you want to use it as a starting point:

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo") 'Bind to AD
Set objNet = CreateObject("WScript.Network")

strCompDN = objSysInfo.ComputerName 'DN for computer, e.g. "CN=VISTAWORKSTATION,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objComp = GetObject("LDAP://" & strCompDN) 'IADsComputer object

strUserDN = objSysInfo.UserName 'DN for user, e.g. "CN=John Smith,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objUser = GetObject("LDAP://" & strUserDN) 'IADsUser object

strUsrLogin = LCase(objNet.UserName)

strNow = Now
strDateStamp = DatePart("yyyy",strNow) & _
    Right("0" & DatePart("m",strNow), 2) & _
    Right("0" & DatePart("d",strNow), 2) & _
    "@" & _
    Right("0" & DatePart("h",strNow), 2) & _
    Right("0" & DatePart("n",strNow), 2)

'RegExp object used to perform a simple match on IP address
Set objRE = New RegExp
objRE.IgnoreCase = True
'Note this regexp pattern isn't "correct" for matching an IPv4 address properly, but since WMI will return an
'array of IP addresses, this is sufficient to distinguish IPv4 vs IPv6
objRE.Pattern = "^\d+\.\d+\.\d+\.\d+$"

strIP = ""

'Connect to WMI and retreive all network adapters
Set objWMI = GetObject("winmgmts:")
Set colNICs = objWMI.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration")

'Get the IP(s) assigned to whichever network adapter has our default gateway
If colNICs.Count > 0 Then
    For Each objNIC in colNICs
        If IsArray(objNIC.DefaultIPGateway) Then
            arrIP = objNIC.IPAddress
            For i = 0 To UBound(arrip)
                If objRE.Test(arrIP(i)) Then strIP = strIP & " " & arrIP(i)
            Next
            strMAC = objNIC.MACAddress
        End If  
    Next
End If

strIP = Trim(strIP)

objComp.Description = strDateStamp & " " & strUsrLogin & " " & strIP
objComp.Put "extensionAttribute1", strUsrLogin
objComp.Put "extensionAttribute2", strIP
objComp.Put "extensionAttribute3", strMAC

objComp.SetInfo

I had to achieve the same result for similar reasons; somehow determine which machine a specific user logged in from. I wanted to know "before the fact", and couldn't change user login scripts as discussed above.
I used powershell on the DC that the user was authenticating against to parse the Security event log:

get-eventlog "Security" | where {$_.Message -like "*Username*" -AND "Source Network Address"} | export-csv C:\Temp\test.csv

Crack open the .csv with excel or your fav editor and look for the most recent entry that shows both the Account Name (Username) and the Source Network Address within the same event.
This might not be a 100% reliable solution (depending on DHCP lease times, etc.), but it worked for me.


You can enable auditing for account logon events. These events (including workstation unlock) will be stored in the DC's security log.

There are also third party tools that can make this easier, such as True Last Logon.