User Hunt
PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

Derivative Local Admins

Pen Testing Active Directory Environments (Varonis).pdf
3MB
PDF

Logon Events

Search for IPs from where the user of interest logged on to current machine (event 4624):
PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat