{
	"id": "1a167b0d-2456-4d13-a5c3-6a15f57fa181",
	"created_at": "2026-04-06T01:29:57.031458Z",
	"updated_at": "2026-04-10T13:11:40.431179Z",
	"deleted_at": null,
	"sha1_hash": "df6873b166e862477fd745fd6561f9434ecd50f0",
	"title": "Free tool : Find out where your AD Users are logged on into",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61582,
	"plain_text": "Free tool : Find out where your AD Users are logged on into\r\nBy corelanc0d3r\r\nPublished: 2009-07-12 · Archived: 2026-04-06 01:06:47 UTC\r\nHi,\r\nI decided to release another free utility I wrote a while ago. This small command-line utility can be used to find\r\nout where Active Directory users are logged on into, and/or to find out who is logged on on specific machines. \r\nThis should include local users, users that are logged in via RDP, user accounts that are used to run services and\r\nscheduled tasks (only when the task is running at that time).  I have not fully tested all scenario’s yet, but the first\r\nresults look quite ok.\r\nYou can download the utility from https://www.corelan.be/index.php/my-free-tools/ad-cs/pve-find-ad-user/. You\r\nneed .Net framework 2.0 on the machine that you are running the tool off, and you also need to have admin access\r\non the  computers you are running the utility against.\r\nThe tool is compiled on a 32bit system, but it should run fine on 64bit systems as well.\r\nOpen a command prompt and start the utility without parameters :\r\n -----------------------------------------\r\n PVE Find AD Users\r\n Peter Van Eeckhoutte\r\n (c) 2009 - http://www.corelan.be\r\n Version : x.x.x.x\r\n -----------------------------------------\r\n Syntax : pveFindADUser.exe \u003cparameters\u003e\r\n Valid parameters are :\r\n -h\r\n show help\r\n -u\r\n check for updates\r\n -v\r\n show a little bit more info (verbose)\r\n -current [\"username\"]\r\n The -current parameters shows the currently logged on user on each PC\r\n in the domain. If you specify a username (between quotes), then only\r\n the PC's where that specific user is logged on will be displayed.\r\nhttps://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/\r\nPage 1 of 3\n\nIf you don't specify a username, all PC's with logged on users will be\r\n displayed in the report.\r\n -last [\"username\"]\r\n The -last parameters shows the last logged on user on each PC in the domain.\r\n If you specify a username (between quotes), then only the PC's where that\r\n user has logged on last time will be shown\r\n If you don't specify a username, all PC's with the last logged\r\n on users will be reported.\r\n In both cases, the username should contain the domain name !\r\n (DOMAIN\\username)\r\n If you specify DOMAIN\\*username* (with 2 asterisks), then\r\n all users containing the 'username' string will be displayed\r\n -noping\r\n Do not ping target computer before trying to enumerate user logons\r\n -p \u003cnr of pings\u003e\r\n If ping is enabled, set number of pings for verifying that host is alive\r\n If -p is not specified, 2 pings will be sent\r\n -rootpath rootpath\r\n Where rootpath is written in distinguishedName notation\r\n Example : OU=Computers,dc=domain,dc=com\r\n -target hostname.domain.com,hostname2.domain.com,hostname3.domain.com\r\n Optional parameter that allows you to specify the list of hosts\r\n (fqdn) to run the query against\r\n Without this -target parameter, queries will be executed against\r\n all hosts in the current domain\r\n -stopfound\r\n Stop searching when first match has been found.\r\n This parameter works only when looking for currently logged on users\r\n Output will be written to console and to a file called report.csv\r\nWhile most options are self-explanatory, I’ll go through them anyway :\r\n-h : show help. Not much to say about that.\r\n-u : check if there is an updated version of the utility. You can use this parameter in conjunction with other\r\nparameters\r\n-current [“username”] : This parameter can do 2 things. If you only specify  -current  then the utility will simply\r\nget all currently logged on users on all target machines.  If you specify a username (DOMAIN\\Username) then\r\nonly the computers where this user is logged on, will be displayed.  The utility will try to get the current logged on\r\nusers from the registry first. If that fails, it will try to get the users via WMI. When the users are collected via\r\nWMI, you may see the user account that you are using the run the utility as a logged on user. This user may not be\r\nhttps://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/\r\nPage 2 of 3\n\nlogged on interactively, it just may show up because you are connecting to the host via WMI. Just be aware of\r\nthis.\r\n-last [“username”] : This parameter can do 2 things as well.  If you only specify  -last   then the utility will\r\nattempt to get the last logged on user on the target  computer. If you specify a username ( DOMAIN\\Username)\r\nthen only the computers that have this user account as last logon, will be displayed.  Note that, depending on your\r\ncompany policy, the last logon username may be hidden and the tool may not be able to get it.\r\n-noping : this option will prevent the tool from performing a ping (well, in fact, by default the tool does 2 pings)\r\nbefore trying to get the user logon information.\r\n-target : this optional parameter allows you to specify the hosts to query.  If you don’t specify this -target\r\nparameter, then all hosts in the current domain will be queried.  If you decide to specify -target, followed with a\r\ncomma-separated list of hostnames, make sure to use the FQDN of the target hosts.\r\nIn its most simple form, you could just run  pveadfinduser.exe -current   to  show all currently logged on users on\r\nall machines (computers, servers, domain controllers, ...) in the domain.\r\nThe tool will write the output of the queries into a csv file called report.csv. This file will contain the following\r\nfields :\r\ncomputername, username, mode and technique.\r\nMode can be \"current\" (for currently logged on users) and \"last\" (for last logged on users).  Technique can be\r\n\"registry\" or \"wmi\", depending on the technique that was used to gather the information.\r\n© Corelan Consulting BV. All rights reserved. The contents of this page may not be reproduced, redistributed, or\r\nrepublished, in whole or in part, for commercial or non-commercial purposes without prior written permission\r\nfrom Corelan Consulting bv. See our Terms of Use \u0026 Privacy Policy (https://www.corelan.be/index.php/legal) for\r\nmore details.\r\nSource: https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/\r\nhttps://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/"
	],
	"report_names": [
		"free-tool-find-where-ad-users-are-logged-on-into"
	],
	"threat_actors": [],
	"ts_created_at": 1775438997,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df6873b166e862477fd745fd6561f9434ecd50f0.pdf",
		"text": "https://archive.orkl.eu/df6873b166e862477fd745fd6561f9434ecd50f0.txt",
		"img": "https://archive.orkl.eu/df6873b166e862477fd745fd6561f9434ecd50f0.jpg"
	}
}