Best way to find the computer a user last logged on from?

As part of our logon script I have that information (and more) logged into a hidden share on a server, with one log file per user. A logoff scripts adds the time the user logged off to the same log file. Easy to set up, no cost and the information is there in an easy to read format.

We do this via logon script which updates the computer object's description in AD.

You need to perform a custom delegation of control to allow "Authenticated Users" to write the description property of computer objects in the domain/s.

Once that's done, all you need is a script that generates whatever information you want and writes the properties to the computer object. This script is then assigned as a login script via a Group Policy object linked to the domain.

We put a timestamp, username, IP(s) in the description field. The timestamp comes first because it makes it easy to quickly see "old" computer objects by sorting on the description field.

Here's the script I wrote for this if you want to use it as a starting point:

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo") 'Bind to AD
Set objNet = CreateObject("WScript.Network")

strCompDN = objSysInfo.ComputerName 'DN for computer, e.g. "CN=VISTAWORKSTATION,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objComp = GetObject("LDAP://" & strCompDN) 'IADsComputer object

strUserDN = objSysInfo.UserName 'DN for user, e.g. "CN=John Smith,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objUser = GetObject("LDAP://" & strUserDN) 'IADsUser object

strUsrLogin = LCase(objNet.UserName)

strNow = Now
strDateStamp = DatePart("yyyy",strNow) & _
    Right("0" & DatePart("m",strNow), 2) & _
    Right("0" & DatePart("d",strNow), 2) & _
    "@" & _
    Right("0" & DatePart("h",strNow), 2) & _
    Right("0" & DatePart("n",strNow), 2)

'RegExp object used to perform a simple match on IP address
Set objRE = New RegExp
objRE.IgnoreCase = True
'Note this regexp pattern isn't "correct" for matching an IPv4 address properly, but since WMI will return an
'array of IP addresses, this is sufficient to distinguish IPv4 vs IPv6
objRE.Pattern = "^\d+\.\d+\.\d+\.\d+$"

strIP = ""

'Connect to WMI and retreive all network adapters
Set objWMI = GetObject("winmgmts:")
Set colNICs = objWMI.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration")

'Get the IP(s) assigned to whichever network adapter has our default gateway
If colNICs.Count > 0 Then
    For Each objNIC in colNICs
        If IsArray(objNIC.DefaultIPGateway) Then
            arrIP = objNIC.IPAddress
            For i = 0 To UBound(arrip)
                If objRE.Test(arrIP(i)) Then strIP = strIP & " " & arrIP(i)
            Next
            strMAC = objNIC.MACAddress
        End If  
    Next
End If

strIP = Trim(strIP)

objComp.Description = strDateStamp & " " & strUsrLogin & " " & strIP
objComp.Put "extensionAttribute1", strUsrLogin
objComp.Put "extensionAttribute2", strIP
objComp.Put "extensionAttribute3", strMAC

objComp.SetInfo

I had to achieve the same result for similar reasons; somehow determine which machine a specific user logged in from. I wanted to know "before the fact", and couldn't change user login scripts as discussed above.
I used powershell on the DC that the user was authenticating against to parse the Security event log:

get-eventlog "Security" | where {$_.Message -like "*Username*" -AND "Source Network Address"} | export-csv C:\Temp\test.csv

Crack open the .csv with excel or your fav editor and look for the most recent entry that shows both the Account Name (Username) and the Source Network Address within the same event.
This might not be a 100% reliable solution (depending on DHCP lease times, etc.), but it worked for me.

You can enable auditing for account logon events. These events (including workstation unlock) will be stored in the DC's security log.

There are also third party tools that can make this easier, such as True Last Logon.

I just write the user name (as well as other info, like date and time, some program versions and so on) into the computer description using a logon script. That way I can pull all the info from AD Users & Computers quickly and easily, and as a bonus have a good way of identifying which PCs still in AD haven't been used in a while (and are therefore most likely dead machines).

ThatGraemeGuy, thanks for excellent script! I had to rewrite it in PowerShell, but it still works.

$CompDN = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"
$strCompDN = [string]([adsisearcher]$CompDN).FindOne().Properties.distinguishedname
$objComp = [ADSI]("LDAP://"+$strCompDN)

# quit if computer is a server or DC
if (($strCompDN -like '*Controller*') -or ($strCompDN -like '*SERVER*')) { exit }

$strUsrLogin = $env:username
$strDateStamp = Get-Date -f 'yyyy-MM-dd@HH:mm'
$IPPattern = "^\d+\.\d+\.\d+\.\d+$"

$colNICs = gwmi Win32_NetworkAdapterConfiguration
if ($colNICs.Count -gt 0) {
foreach ($objNIC in $colNICs){
        if ($objNIC.DefaultIPGateway) {
            $arrIP = $objNIC.IPAddress
            for ($i=0; $i -lt $colNICs.Count; $i++) { 
            if ($arrIP[$i] -match $IPPattern) { $strIP = $arrIP[$i]; $strMAC = $objNIC.MACAddress }
            }
        }
    }
}

$objComp.Description = $strDateStamp + " - " + $strUsrLogin + " - " + $strIP
$objComp.extensionAttribute1 = $strUsrLogin
$objComp.extensionAttribute2 = $strIP
$objComp.extensionAttribute3 = $strMAC
$objComp.SetInfo()

The trick to knowing for certain where users last logged in aside from suggestions from Adam is log aggregation. If you have multiple domain controllers you either have to check them all, or centralize your logging and then check the single log.

Some, maybe even most, third party tools are smart enough to query all the domain controllers. But if you're thinking of writing a script to parse it out yourself I can't argue strongly enough for centralization of your logs.

Ideally, You would capture the following for your CSIRT Team to assist in invstigations.

userid logging in with workstation name MAC address IP address Date/Timestamp login type (rdp, interfactive etc)

Then dump that into a sql command into a database that they can query. Bits and pieces are logged all over the place, but recording this saves time pulling the data from DHCP/WINS servers etc...

I was going to add this as a comment to marcusjv's answer above, but I dont have the reputation so a separate answer will have to do:

In that expression -AND "Source Network Address" will always evaluate to TRUE

I think what you need is: get-eventlog "Security" | where {$.Message -like "*username*" -AND $.Message.contains("Source Network Address")}

Only way to have very latest information is thru log foraging. Use a tool like Microsoft Operations Manager or free tool like snare to aggregate interesting event logs from server into central place (normal text files or SQL database) and then use tools like logparser or SQL queries to generate the report you want.

for finding different event IDs for different events go thru Event Log Encyclopedia

Let me know, if you want to follow this route, I can help you create the appropriate queries for logparser.