This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 86%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZA%3C/text%3E%3C/svg%3E)
Dear Respectable,
I have a computer name and IP address, i need to know which user is associated with that computer.
I tried to look into logon events e.g Event ID: 4624 etc, but there is only computername and ip. i couldn't find username there.
i don't have any third party tool like manageengine, so i am relying on windows powershell and eventviewer.
Can anyone advise how i can get user associated with that specific computer?
Thanks
You may need to add additional auditing options.
https://woshub.com/check-user-logon-history-active-directory-domain-powershell/
See also:
Your users aren't logging in with a local account, are they? That won't show up on your domain controllers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
@MotoX80 Heh . . . the answer I posted was immediately deleted for violation the Code of Conduct.
Maybe it was my using the word "S a ni ty"? Weird.
It didn't take very long for one of the moderators to allow it, though.
Here's an example of getting those events:
$q = @'
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)] and EventData[Data[@Name='LogonType'] and (Data='2' or Data='7')]]
</Select>
</Query>
</QueryList>
'@
Foreach ($login in Get-WinEvent -FilterXml $q){
$y = $login | Convert-EventLogRecord
[PSCustomObject]@{
LogonType = $y.LogonType
SubjectDomainName = $y.TargetDomainName
SubjectUserName = $y.TargetUserName
}
}
This works on a local machine, you may need to make adjustments for working with the domain-level security logs.
The query looks for Interactive logons and "Unlock" type logons. Adjust the query to get the logon types you're interested in.
For your own sanity, it would be a good idea for you to install the PowerShell module PSScripTools and make use of the Convert-EventLogRecord. You don't have to, but without it you'll have to work with the XML found in the EventLorRecord you get back from the Get-WinEvent cmdlet.