How-to: Find the LoggedOn user.

Find the User(s) logged on to a computer:

Get-CimInstance -Class Win32_ComputerSystem | Select-object -ExpandProperty UserName

We can further limit this to only users running an interactive/destop session (the Windows desktop is an Explorer.exe process):

Get-CImInstance -Class Win32_Process -Filter 'Name="explorer.exe"'

To run this against a remote machine, add the -computername computer option

$processinfo = @(Get-CImInstance -ComputerName 'computer64' -Class Win32_Process)

if ($processinfo) {
  $processinfo |  ForEach-Object {Invoke-CimMethod -InputObject $_ -MethodName GetOwner | select -ExpandProperty user } | 
  Sort-Object -Unique

This can be wrapped into a full function Get-LoggedOn, allowing piped input etc.

Find Locked Out Accounts:

search-adaccount -u -l | ft name,lastlogondate -auto

Find out WHERE a user is logged on.

The script below finds active sessions with a known server, this approach works well for accounts that have a roaming profile or home server. It first creates a remote session with the server, then runs NET SESSION to get a list of active sessions, then using those IP addresses runs nslookup to resolve the machine name.

# Get-LoggedOn.ps1
# Find out WHERE a user is logged on.
# Requires the name of File Server and the name of the user you need to find
#   Example to find where user64 is logged in, run this (elevated):
#   Get-LoggedOn "ProfileServer01" "user64"

write-host " **  Searching for active logons by $USERNAME  **"

# Connect to remote Server

# Run Net Session, get a list of everybody logged in there
$RemoteSessions = (INVOKE-COMMAND -session $s -scriptblock { (NET SESSION) } ) | Select-string $USERNAME

# Close session

Foreach ( $session in $RemoteSessions ) {

  $ComputerIP = $session.Line.substring(2,21).trim()
  $User = $session.Line.substring(22,15).trim()

# Use nslookup to identify the computer, filter for the line displaying “Name:”
$Computername=(nslookup $ComputerIP | Where { $_ -like 'Name:*'})

If ($Computername -eq $NULL) { $Computername="Unknown"}
 # extract just the computer name from the full string
Else { $Computername = $Computername.substring(9).trim().Split('.')[0]}

"$User is logged into $Computername with IP address $ComputerIP"

Based on this script by the Scripting Guys at Technet - a couple of bugs fixed and converted from a function into a script.

“Sometimes only one person is missing and the whole world seems depopulated“ ~ Alphonse de Lamartine

Related PowerShell Cmdlets:

Get-WmiObject - Get WMI class information.
EventCombMT - Account Locked Out Troubleshooting.
LastLogon - Find when an account last logged in.
Password expiry - Reminder email for account passwords about to expire.

Copyright © 1999-2021
Some rights reserved