I'm about at my wit's end here trying to figure this out. I need to run a script at user login that can rewrite a config file containing the current user's UPN suffix, and that config file is not accessible to users so I have to run as system context (otherwise whoami /upn solves all my problems). Thanks to COVID I need to support both users physically logged in to the machine and RDP users.

What I have now:

1. HKU\\\[sid\]\\Volatile Environment - This contains the domain DNS name of all users logged in to the computer. Excellent, but if you switch users then all logged in users have this key so it doesn't tell you who is actively using the computer.
2. qwinsta - This contains the username (sAMAccountName) of the active user. This seems to work regardless of logon method, when the state is active it seems to be the username of the user that is actively logged in and using the computer.
3. Get-WmiObject -Class win32\_ComputerSystem | select username - This gives \[domain\]\\\[username\] which works just fine for me, but returns null for RDP connections

The issue:

Our sAMAccountNames are not unique across the forest, so I need to have the context of the domain to look up the user. In the event that I'm logged on as [[email protected]](mailto:[email protected]) and [[email protected]](mailto:[email protected]) via RDP at the same time those three methods all fail to tell me what user is actually currently using the computer (1 gives me multiple users, 2 gives me two of the same usernames, 3 gives me $null).

This very much seems like a solvable problem, but so far I haven't been able to Google my way out of this one. Really hoping there's something obvious that I've missed at this point.