How to Find Which Computers a User is Logged Into

In network environments, particularly within larger organizations, it’s often important to monitor which computers a specific user is logged into. This tracking can be crucial for troubleshooting, security audits or managing user sessions.

Here’s how you can accomplish this across different Windows environments.

Why Track User Logins?

• Spot unauthorized access or compromised accounts.
• Troubleshoot application or network issues related to user sessions.
• Meet audit requirements by keeping login records.

Prerequisites

• Admin Rights: Necessary for executing remote commands and accessing event logs.
• Network Permissions: Make sure WMI, RPC, and WinRM are permitted through firewalls.
• Audit Policies: Activate "Audit Logon Events" in Group Policy for Security logs (you can find this via gpedit.msc > Computer Configuration > Policies > Windows Settings > Advanced Audit Policies).

Methods to Track Logged-In Users

1. Using Command Line Tools

   • Windows Command Prompt or PowerShell:

     • Open Command Prompt or PowerShell as an administrator.

     • To get quick results, you can use the 'quser' or 'query user' command. Just replace `RemoteComputerName` with the actual name or IP address of the computer you want to check for user sessions.
     • quser /server:RemoteComputerName
     • This command will show you who is currently logged into that specific machine. 

   • WMIC (Windows Management Instrumentation Command-line):

     • In Command Prompt or PowerShell, you can run the following command:

     • wmic /node:RemoteComputerName computersystem get username

     • This will give you the username of the person who is currently logged into the specified computer.

2. Using Event Logs

   • When it comes to using Event Logs, here's how to filter Security Logs for Logon Events:
     
     • First, log into any Domain Controller or a machine that has access to the event logs.
     • Then, open up Event Viewer by typing eventvwr.msc in the Run dialog (you can do this by pressing the Windows key + R).
     • Next, navigate to Windows Logs and select Security.
     • From there, you can filter for Event ID 4624 (which indicates a Logon) or 4778 (which shows a Reconnect to an existing terminal service session). Make sure to look for entries that match the username you’re investigating. This approach will help you track down past logins, including the source computer.
       1.  

3. Third-Party Tools

   1. PsLoggedOn (Sysinternals)
      • To check logged-on users, use: psloggedon \\RemotePC
      • Output: You'll see both local and network users.
      • Download: Grab the Sysinternals Suite.
   2. Enterprise Tools:
      • Netwrix Auditor: This tool keeps tabs on logins and creates compliance reports.
      • ManageEngine ADAudit Plus: It offers real-time monitoring of user activity.

4. Manual Methods

   • Task Manager (Local Machine): Simply open Task Manager (Ctrl+Shift+Esc) and head to the "Users" tab.
   • Remote Desktop Services Manager: If you're on a Windows Server, you can use tsadmin.msc to check RDP sessions.

5. Advanced Methods

   • Microsoft Endpoint Configuration Manager (SCCM): This lets you query user sessions across all managed devices.
   • ADSI Queries: You can utilize the LogonServer attribute in Active Directory, but keep in mind this is limited to domain logins.

      

Considerations

• Network Access: Make sure you have administrative rights on the computers you’re checking or at the domain level.
• Privacy & Security: Always be aware of privacy policies when monitoring user logins.
• Performance: Running bulk checks can be resource-heavy, especially in larger networks, so try to schedule them during off-peak hours if you can.