When dealing with misplaced domain-joined computers that haven't been online for extended periods, traditional logon tracking methods often fail. The computer objects remain in Active Directory, but their last interactive user information becomes harder to retrieve.
While not perfectly precise, this attribute can indicate approximate last authentication time:
Get-ADComputer -Identity "COMPUTERNAME" -Properties LastLogonTimestamp |
Select-Object Name,@{Name="LastLogon";Expression={[datetime]::FromFileTime($_.LastLogonTimestamp)}}On domain controllers, examine Security logs for Event ID 4624 (successful logon):
Get-WinEvent -LogName Security -FilterXPath '*[System[EventID=4624]]' -MaxEvents 100 |
Where-Object {$_.Properties[5].Value -eq "COMPUTERNAME$"} |
Select-Object TimeCreated,@{Name="User";Expression={$_.Properties[5].Value}}If legacy logon scripts were used, check for log files:
# Typical path for logon script logs
$logPath = "\\DC01\NETLOGON\Logs\"
Get-ChildItem -Path $logPath -Filter "*COMPUTERNAME*" |
Sort-Object LastWriteTime -Descending |
Select-Object -First 1For powered-off machines, the registry hive may contain cached credentials:
# Requires access to the physical disk
reg load HKLM\OFFLINE C:\Windows\System32\config\SOFTWARE
(Get-ItemProperty -Path "HKLM:\OFFLINE\Microsoft\Windows NT\CurrentVersion\ProfileList\*").ProfileImagePath
reg unload HKLM\OFFLINEConsider implementing these for future tracking:
- SCCM/MECM Last Logged On User reports
- Azure AD Connect health monitoring
- Third-party asset management tools with persistent agents
Remember that:
- Computer account passwords rotate every 30 days by default
- Cached credentials may persist through multiple users
- Terminal Services/Citrix environments complicate tracking
When physical workstations go missing from inventory but still exist in Active Directory, forensic tracking becomes essential. The key evidence lies in the last authenticated user session, which isn't directly stored in computer object attributes.
Three potential locations contain this audit trail:
- Security Event Logs (Requires machine access)
- Logon Server Records (Netlogon debugging logs)
- AD LastLogonTimestamp (Approximate, not user-specific)
For powered-on machines, remote event log collection works best:
# Requires admin rights on target computer
$computerName = "MISSING-PC1"
$events = Get-WinEvent -ComputerName $computerName -LogName Security -FilterXPath
"*[System[EventID=4624]]" -MaxEvents 1 -ErrorAction SilentlyContinue
if ($events) {
$logonType = ($events.Properties[8].Value)
if ($logonType -eq 2 -or $logonType -eq 7) { # Interactive logon types
$userSID = $events.Properties[5].Value
$lastUser = (New-Object System.Security.Principal.SecurityIdentifier($userSID)).Translate([System.Security.Principal.NTAccount])
Write-Output "Last interactive login: $lastUser"
}
}
When machines are unreachable, try these alternatives:
DC Security Logs Analysis
# Query domain controllers for Kerberos TGT requests
$startTime = (Get-Date).AddDays(-30)
Get-WinEvent -LogName Security -FilterXPath
"*[System[(EventID=4768) and TimeCreated[@SystemTime>='$($startTime.ToUniversalTime().ToString("o"))']]]"
-MaxEvents 500 | Where-Object {
$_.Properties[1].Value -like "*MISSING-PC1$*"
} | Select-Object TimeCreated,
@{Name="User";Expression={$_.Properties[0].Value}},
@{Name="Computer";Expression={$_.Properties[1].Value}}
Netlogon Debug Log Parsing
When enabled (not default), domain controllers log detailed authentication attempts:
Select-String -Path "\\DC1\c$\Windows\debug\netlogon.log" -Pattern "MISSING-PC1"
- Enable AD LastLogonTimestamp replication (default 14 days)
- Implement Logon Hours restrictions to force regular updates
- Deploy Microsoft Advanced Threat Analytics for session tracking
If your environment uses System Center Configuration Manager:
SELECT SYS.Netbios_Name0 as ComputerName,
USR.User_Name0 as LastUser,
USR.LastLogonTimestamp0 as LastLogon
FROM v_GS_USERPROFILE USR
JOIN v_R_System SYS ON USR.ResourceID = SYS.ResourceID
WHERE SYS.Netbios_Name0 = 'MISSING-PC1'
ORDER BY USR.LastLogonTimestamp0 DESC