none
get logged on users last 7 days from DC RRS feed

  • Question

  • I have a list of servers in txt file and need to find out what users are logged in or logged in events last 7 days? 

    Do I need to do this from DC or the local server itself?

    Get-WinEvent -ComputerName xxx -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 1000  | select Machinename,@{N='Username'; E={$_.Properties[5].Value}}, @{N='LogonType'; E={$_.Properties[8].Value}}, timecreated | out-file logs.txt 

    • Moved by Bill_Stewart Thursday, December 5, 2019 3:36 PM Help vampire
    Tuesday, July 2, 2019 1:02 PM

All replies

  • something like this ? not seems to be working whn uerying DC

    $servers = get-content ("C:\Users\p\scripts\servers.txt")
    foreach ($s in $servers){
    Get-WinEvent -Computer dc -FilterHashtable @{Logname='Security';ID=4624;computername=$s} -MaxEvents 1000  | select Machinename,@{N='Username'; E={$_.Properties[5].Value}}, @{N='LogonType'; E={$_.Properties[8].Value}}, timecreated | out-file logs.txt
    }

    Tuesday, July 2, 2019 1:16 PM
  • Please post code correctly using the code posting tool.  Edit your posts and fix.

    The "select" statement should be outside of the loop and you need to use "ForEach-Object".

    It would be best if you stopped and learned PowerShell instead of just constantly guessing.

    $select = @(
        'Machinename', 
        @{n = 'Username'; e = {$_.Properties[5].Value}}, 
        @{n = 'LogonType'; e = {$_.Properties[8].Value }}, 
        'timecreated' 
    )
    
    get-content C:\Users\p\scripts\servers.txt |
        ForEach-Object{
            Get-WinEvent -ComputerName $_ -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 1000  
        } | 
        Select-Object $select | 
        out-file logs.txt

    You should also read the full help for all CmdLets that you are trying to use.  It will help you find your mistakes.

    A FilterHash has no property named "Computer".


    \_(ツ)_/


    • Edited by jrv Tuesday, July 2, 2019 1:44 PM
    Tuesday, July 2, 2019 1:44 PM
  • Also note that you will need to use dates to query the range and you will need to extract the logon type and account type from the record.  This is best done with an XML Filter.

    If you search you will find blogs explaining how to do this.


    \_(ツ)_/

    Tuesday, July 2, 2019 1:49 PM
  • Hi

    Can this be done on the DC instead? All the servers are on the domain. Can i query when/who logged into a list of servers from the DC?

    Tuesday, July 2, 2019 2:09 PM
  • Not the way you are doing it.  You have to query the DC for 7 days records then decode the account and workstation from the result.

    Start by writing the command to retrieve 7 days of events from the DC.


    \_(ツ)_/

    Tuesday, July 2, 2019 2:28 PM
  • something wrong here?

    $filter = @{	Logname = 'Security'	ID = 4624, 4625	StartTime =  [datetime]::Today.AddDays(-7)	EndTime = [datetime]::Today}Get-WinEvent -Computer rtpdc05 -FilterHashtable $filter -MaxEvents 1000 

    Get-WinEvent -Computer dc -FilterHashtable $filter -MaxEvents 1000

    Get-WinEvent : No events were found that match the specified selection criteria.
    At line:8 char:1
    + Get-WinEvent -Computer dc -FilterHashtable $filter -MaxEvents 1000
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
     

    Tuesday, July 2, 2019 3:43 PM
  • First learn how to write PowerShell code and carefully read the help.

    "No events means that there were no events in the security log on that computer. 

    Do not add MaxEvents when using time.

    $filter = @{
        Logname = 'Security'
        ID = 4624
        StartTime =  [datetime]::Today.AddDays(-7)
        EndTime = [datetime]::Today
    }
    Get-WinEvent -ComputerName rtpdc05 -FilterHashtable $filter

    You need to take the time to post code correctly so that it is readable and formatted correctly.

    Note that this post is readable as code. 

    Don't add 4625 to the ID.


    \_(ツ)_/



    • Edited by jrv Tuesday, July 2, 2019 3:53 PM
    Tuesday, July 2, 2019 3:49 PM
  • Thanks

    so do I need to filter on the message part of the log where account and server name is?

    New Logon:
                      Security ID:        S-1-5-21-1947753297-2501007059-3920098978-315314
                      Account Name:        xxx
                      Account Domain:        xxxxx
                      Logon ID:        0x1fa6359da
                      Logon GUID:        {3731B70D-30B3-6572-E965-9936A5B2E741}
                  
                  Process Information:
                      Process ID:        0x0
                      Process Name:        -
                  
                  Network Information:
                      Workstation Name:    -
                      Source Network Address:    xxxx
                      Source Port:        57608

    Tuesday, July 2, 2019 4:22 PM
  • I have urgent info to get this info. Sorry i am trying to figure out how to do this
    Tuesday, July 2, 2019 4:23 PM
  • Hint …

    $filter = @{
        Logname = 'Security'
        ID = 4624
        StartTime =  [datetime]::Today.AddDays(-7)
        EndTime = [datetime]::Today
    }
    Get-WinEvent -FilterHashtable $filter|
        ForEach-Object{
            [pscustomobject]@{
                WorkstationName =  (([xml]$_.ToXml()).Event.EventData.Data |Where{$_.Name -eq 'WorkstationName'}).'#text'
                TargetUserName = (([xml]$_.ToXml()).Event.EventData.Data |Where{$_.Name -eq 'TargetUserName'}).'#text'
            }
        }


    \_(ツ)_/


    • Edited by jrv Tuesday, July 2, 2019 4:27 PM
    Tuesday, July 2, 2019 4:26 PM
  • You can also convert the whole thing and then filter for what you need.

    $filter = @{
        Logname = 'Security'
        ID = 4624
        StartTime =  [datetime]::Today.AddDays(-7)
        EndTime = [datetime]::Today
    }
    Get-WinEvent -FilterHashtable $filter -max 3|
        ForEach-Object{
            $hash = @{}
            ([xml]$_.ToXml()).Event.EventData.Data |
                ForEach-Object{
                    $hash.Add($_.Name, $_.'#text')
                }
            [pscustomobject]$hash
        } | 
        Select-Object LogonType, SubjectUserName, WorkstationName, TargetUserName


    \_(ツ)_/

    Tuesday, July 2, 2019 4:38 PM