Find where that user is

There was a question in the PowerShell newsgroup on finding on which computer is a particular user located.

Here’s my take on the one-liner finding the user and computer:

PS C:\> Get-QADComputer | foreach { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name } | where { $_.UserName -eq "DOMAIN\username" } | Format-Table Name, UserName

Name                                    UserName
----                                    --------
MYCOMP                                  DOMAIN\username

Basically I am:

1. Getting the list of computers.

2. Going to each of them with a WMI query to get information on the current session on the computer.

3. Applying the where filter comparing the UserName property to the username.

4. Outputting the computername and username in a table.

This is it!

You can make it slightly complicated if you need IP address (it is not present in the Win32_ComputerSystem class) – we can get that by adding:

PS C:\> Get-QADComputer | foreach { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name } | where { $_.UserName -eq "Domain\username" } | foreach { Get-WmiObject -Class Win32_NetworkAdapterConfiguration -ComputerName $_.Name } | where {$_.IPEnabled -eq $true } | Format-Table __SERVER, IPAddress

__SERVER                                IPAddress
--------                                ---------
MYCOMP                                  {192.168.99.18}

This one gives a table of the computernames and IP addresses that have the user logged in at the moment. Now the output does not have the username but I guess you know it already because you were searching for the name!

(I am also filtering out the network interfaces without IP address.)

The other issue is that it does not take terminal services logins. Don’t know of the top of my head how to add enumeration of those. Should be possible. This is the article I found that has the code doing that in C++: http://www.codeproject.com/system/logonsessions.asp

Tags: , , , , , , , ,

19 Responses to “Find where that user is”


  1. 1 René Masselink September 19, 2007 at 10:30 am

    Thanks, a very usefull solution to my problem, and even a solution to a problem i might get in te near future (IP-resolving by username)!

  2. 2 dmitrysotnikov September 19, 2007 at 10:50 am

    Glad that I could help. One thing to keep in mind is that this can be quite slow on PowerShell v1 because it makes the WMI calls to each remote computer in sequence, one by one. Thus, in big networks this might take a while.

    PowerShell v2 is going to be much faster in such cases with the new remoting and parallel processing features they are adding.

  3. 3 Mike December 27, 2007 at 4:12 pm

    I tried your one liner and I am getting Access Denied at Line1 Char 42

    Get-WmiObject

    Not sure why.

    Get-QADComputers works and it returns all computer in the AD

    Name Type DN
    —- —- —
    HZ7L101 computer CN=HZ7L101,OU=Desktops,OU=All computers,DC=flhlaw,DC=local
    3Z7L101 computer CN=3Z7L101,OU=Desktops,OU=All computers,DC=flhlaw,DC=local
    INDEXER computer CN=INDEXER,OU=Desktops,OU=All computers,DC=flhlaw,DC=local
    FLHREMOTE computer CN=FLHREMOTE,OU=Servers,OU=All computers,DC=flhlaw,DC=local
    FLHAPP01 computer CN=FLHAPP01,OU=Servers,OU=All computers,DC=flhlaw,DC=local
    G1VW911 computer CN=G1VW911,OU=Desktops,OU=All computers,DC=flhlaw,DC=local
    1VRGP11 computer CN=1VRGP11,OU=Desktops,OU=All computers,DC=flhlaw,DC=local

    But I am looking to create a script that allows me to enter a user Id into a field and return the computer they are logged into.

  4. 4 dmitrysotnikov December 27, 2007 at 7:11 pm

    Mike,

    I would try to manually run the Get-WMIObject for each of the computers to see which one is giving you Access Denied.

    E.g.:

    Get-WmiObject -Class Win32_ComputerSystem -ComputerName HZ7L101

    etc.

    Of course, if you have hundreds of them you might want to automate the thing by adding tracing capabilities to the script: i.e. making it output computer name before making the wmi call:

    Get-QADComputer | foreach {
    $_.Name
    Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name
    }

  5. 5 Dharmendra Sharma April 29, 2009 at 5:52 am

    hi,

    I need your help to know the history of perticular user windows logon id when he has looged in

    when that id was disabled/ enabled

    can anyone help me to short out this issue through AD

    I have windows 2003 server (DC)

    Regards
    DKS

  6. 6 Dmitry Sotnikov April 30, 2009 at 4:47 pm

    Dharmendra,

    AD is pretty bad in documenting any changes. Windows 2008 DCs got events in event logs slightly better so I think you could for example get disabled/enabled events from there (if you go all 2008 of course), but for a comprehensive AD auditing/history you would probably need a commercial product such as http://www.quest.com/changeauditor-for-active-directory/ or http://www.quest.com/intrust-for-active-directory/

    If you need a free solution and cannot upgrade to 2008, I guess you could do some kind of polling from periodically run PowerShell scripts which get changed users with Get-QADUser -LastChangedAfter – see http://wiki.powergui.org/index.php/Get-QADUser

    Dmitry

  7. 7 Ben July 9, 2010 at 6:38 pm

    Dmitry, Thanks so much for this! A question if I may; How hard wold it be to add a dialog box requesting a specific username to search for? i.e. Searching all computers for a single, specific DOMAIN\username?

    • 8 Dmitry Sotnikov July 9, 2010 at 6:49 pm

      Ben, just use read-host:

      $username = read-host “Please provide a specific username”

      If you get stuck – try asking in the forums at http://powergui.org – lots of friendly gurus to help you out.🙂

  8. 9 Chase May 26, 2011 at 3:38 pm

    Here is a slightly modified version that uses Get-ADComputer instead of Get-QADComputer

    Get-ADComputer -filter * | foreach {gwmi -class Win32_ComputerSystem -ComputerName $_.Name -Property Name,Username} | where {$_.UserName -like “*myuser*”}| ft name,username

    I had to add the -Property command to gwmi in order to retrieve the username. the -filter * in Get-ADComputer can be changed to an actual filter to restrict the computers gwmi is run on.

  9. 11 Anonymous June 27, 2011 at 1:13 am

    Dmitry.. Great Post..Quick question: How could I only specify a list of users from a text file to search what computer they are logged on too?

    Thanks!

    Guest

    • 12 Dmitry Sotnikov June 27, 2011 at 9:45 pm

      I don’t currently have a lab to try this but here’s my theoretical approach:

      1. Just have a text file with usernames (in DOMAIN\username format) one item per line in a file.
      2. Then load the file into an array:

      $users = get-content c:\users.txt

      3. And then in the one-liner modify this part of one-liner:

      where { $_.UserName -eq “DOMAIN\username”}

      into this:

      where { $users -contains $_.UserName}

      Dmitry

      • 13 Pal March 18, 2013 at 7:42 pm

        Hi Dmitry,

        Is it possible for you to ammend your code below in a way that it will look for a particular OU when searching for the workstations a user connects to instead of looking through the entire domain..?

        C:\> Get-QADComputer | foreach { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name } | where { $_.UserName -eq “DOMAIN\username” } | Format-Table Name, UserName

        for eg. lets say all the machines are located in
        Abc.net/Xyz/Departments/Marketing/Marketing pcs/

        Regards,
        Pal

      • 14 Dmitry Sotnikov March 18, 2013 at 9:14 pm

        Paul, please see parameters of Get-QADComputer. I believe there is something like -SearchRoot which seems to be what you are looking for.

  10. 15 Anonymous April 11, 2013 at 10:40 pm

    Get-QADComputer -searchroot “abc.net/xyz/departments” -searchscope onelevel | foreach { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name } | where { $_.UserName -eq “DOMAIN\username” } | Format-Table Name, UserName

    This is the string

  11. 16 Marcus June 25, 2013 at 2:09 pm

    I have a list of users I need to identify what workstations they have logged into in the last 30 days. How would I go about getting that information?

  12. 17 Akbar January 29, 2016 at 10:46 am

    Hi Dimitry. What if I want to run the query on just a select number of computers? Thanks in advance.

    • 18 Dmitry Sotnikov January 29, 2016 at 8:01 pm

      You can for example read the names of the computers from a file with Get-Content, and then use $_ down the pipeline to get the values.


  1. 1 Post Links 06/05/2013 | dlowedown Trackback on June 5, 2013 at 12:40 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2007
M T W T F S S
« Apr   Jun »
 123456
78910111213
14151617181920
21222324252627
28293031  

%d bloggers like this: