A great little command for auditing and troubleshooting purposes, it has to be run on your DC, it searches through the Security event logs on your server and prints out the results to a CSV.
get-eventlog “Security” | where {$_.Message -like “User” -AND “Source Network Address”} | export-csv C:\Temp\ADLoginAudit.csv
Please scroll down through the CSV, and you will find the search result with the answer you’re looking for, similar to the example result below:
New Logon:
Security ID: S-1-xxxxxx
Account Name: User
Account Domain: DomainName
Logon ID: 0xxxxxxx
Logon GUID: xxxxxxx
Network Information:
Workstation Name: Workstation Name
Source Network Address: local IP address
Source Port: xxxxx