Find the User(s) logged on to a computer:

Get-WmiObject -Class Win32_ComputerSystem | Select-object -ExpandProperty UserName

Or an alternative strategy for servers or any machine where multiple users could be logged in at the same time - find the owners of Explorer.exe processes. The Windows desktop is an Explorer.exe process.

Get-WmiObject -Class Win32_Process -Filter 'Name="explorer.exe"'  |
  ForEach-Object {
    $owner = $_.GetOwner()
    '{0}\{1}' -f  $owner.Domain, $owner.User
  } | 
  Sort-Object -Unique

To run this against a remote machine, add the Get-WmiObject -computername computer option.

Find Locked Out Accounts:

search-adaccount -u -l | ft name,lastlogondate -auto

Find out WHERE a user is logged on.

The script below finds active sessions with a known server, this approach works well for accounts that have a roaming profile or home server. It first creates a remote session with the server, then runs NET SESSION to get a list of active sessions, then using those IP addresses runs nslookup to resolve the machine name.

# Get-LoggedOn.ps1
# Find out WHERE a user is logged on.
# Requires the name of File Server and the name of the user you need to find
#   Example to find where user64 is logged in, run this (elevated):
#   Get-LoggedOn "ProfileServer01" "user64"

write-host " **  Searching for active logons by $USERNAME  **"

# Connect to remote Server

# Run Net Session, get a list of everybody logged in there
$RemoteSessions = (INVOKE-COMMAND -session $s -scriptblock { (NET SESSION) } ) | Select-string $USERNAME

# Close session

Foreach ( $session in $RemoteSessions ) {

  $ComputerIP = $session.Line.substring(2,21).trim()
  $User = $session.Line.substring(22,15).trim()

# Use nslookup to identify the computer, filter for the line displaying “Name:”
$Computername=(nslookup $ComputerIP | Where { $_ -like 'Name:*'})

If ($Computername -eq $NULL) { $Computername="Unknown"}
 # extract just the computer name from the full string
Else { $Computername = $Computername.substring(9).trim().Split('.')[0]}

"$User is logged into $Computername with IP address $ComputerIP"

Based on this script by the Scripting Guys at Technet - a couple of bugs fixed and converted from a function into a script.

“Sometimes only one person is missing and the whole world seems depopulated“ ~ Alphonse de Lamartine

Related PowerShell Commands:

Get-WmiObject - Get WMI class information
EventCombMT - Account Locked Out Troubleshooting
LastLogon - Find when an account last logged in.
Password expiry - Reminder email for account passwords about to expire.

Copyright © SS64.com 1999-2019
Some rights reserved