Need to find every workstation that a user has logged on to? Security event logs rolled over or you can’t otherwise get that info from the domain controllers? Here is a way to get it.
Normally, you could simply query the security event log on your domain controllers to find this information. The caveat is that the logs eventually get full, and purge/overwrite/rollover, making finding the necessary data impossible. You can get around this to some extent by using a log repository, such as the one contained in SCOM, or something like LogLogic, SysLog, or Splunk.
But, let’s pretend you don’t have any of those solutions in place, and your logs have rolled over. The inforamtion is still available, if you look for it.
On recent Windows workstations, each user has their own profile directory. Unless local profiles are turned off, then you can check each workstations for the existence of a user profile that matches the user name in question. The user profiles live in the following location:
C:\Users\
Pretty obvious, eh? Just in case you didn’t know …
Rather than attempt attaching to each machine in turn to determine if the profile directory exists, a scripted solutoin is called for in order to query a large number of machines for the information. This gets our data quickly, and efficiently, with a minimum of labor. And we all know system administrators are lazy, don’t we?
The following script utilizes PowerShell and the Active Directory module. It gets a list of computers from Active Directory, in the OU specified, and queries for the existence of the designated username-based path. It’s important to note that when testing the path, the script matches the passed username with a wildcard match afterward. For example, if we search for a user called MyUser, all of the following will be found:
C:\Users\MyUser
C:\Users\MyUser.Domain
C:\Users\MyUser.Local
C:\Users\MyUser.tld
This script has one paramater UserToSearchFor. So to call the script, simply type:
.\Find-UserProfiles.ps1 MyUserName
Where MyUserName is the SamAccountName or username that you want to find.
Before running this script on your own domain, don’t forget to modify the $ADSearchBase variable to reflect your domain. Otherwise, you’ll just get a bunch of red on your screen.
The script is below, in all its simplicity. Any questions, comments, concerns, or gripes, just put in a comment below, or start a thread in the forums. Have a great day!
Param(
[Parameter(Mandatory=$True,Position=1)]
[String]$UserToSearchFor
)
$ADFilter="*"
$ADSearchBase="OU=Computers,DC=MyDomain,DC=MyTLD"
$ComputerList=Get-ADComputer -filter $ADFilter -SearchBase "$ADSearchBase" -SearchScope Subtree
$NumberOfComputers=$ComputerList.Count
$CurrentHostNumber=1
write-host "Searching for profile directories for $UserToSearchFor`n"
ForEach($Computer in $ComputerList){
$PathToTest="\\" + $Computer.Name + "\c$\users\$UserToSearchFor*"
write-progress -activity "Checking remote hosts for $UserToSearchFor" -status $Computer.Name -percentcomplete (($CurrentHostNumber/$NumberOfComputers)*100)
if((Test-path -path $PathToTest) -eq $True) {
write-host $PathToTest
}
$CurrentHostNumber++
}
write-host "`nSearch Complete.`n"