Find out logins RRS feed

  • Question

  • Hi All,

    I have been tasked to find out a particular user login/logoff times for a period of 2-3 months.

    Obviously, there are tonnes of software available which claims to do auditing but I am wondering if there is a powershell script available to fulfill my request.
    Had done a google search but not seen any obvious answer to my question.

    I found an oneline which is not quite adequate since it would not tell me the username and found complex long scripts which, according to reviews mainly did not work so users would spend days to figure out whats wrong with the script. Since most of these scripts were tailored to a particular organization, any small change would result the script to fail.

    So if you have any idea ant suggestion on how could I accomplish my task, I would be really grateful

    Kind regards


    • Edited by The Guy from MK Monday, May 8, 2017 4:13 PM
    • Moved by Bill_Stewart Friday, July 7, 2017 6:53 PM This is not "research solution for me" forum
    Monday, May 8, 2017 4:12 PM


All replies

  • You will have to query every systems event log.  If the event logs are default size then yuo will not get 3 months.

    Look in the Gallery for scripts that will do this.


    Monday, May 8, 2017 4:24 PM
  • For the past 2-3 months, scripts that query the system event logs, as jrv suggested, are best. For the future, you can use Group Policy (assuming an AD domain) to configure logon and logoff scripts that append information to a shared log file. An example logon script can be as simple as the following batch file:

    @echo off
    echo Logon;%date% %time%;%computername% %username% >> \\MyServer\LogFile\Domain.log

    The logoff script would be the same, except replace the string "Logon" with "Logoff". The resulting file can be imported into Excel (the fields are semicolon delimited) and sorted by user and date. Or I have scripts that parse such a log file for sessions (combination of user and computer) and calculate how long the user was logged on.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, May 8, 2017 5:07 PM
  • Thanks for the reply.

    Have tried it and managed to get the daily log off times.
    Currently I am filtering to get logon times since I have so many different logon times with different Event ID and not sure which one would be the actual logon time.

    Tuesday, May 9, 2017 10:32 AM
  • You will have to learn how to read events and look up the event definitions.  If you search you will find that There are many blogs and posts describing how to do this. Example:


    • Edited by jrv Tuesday, May 9, 2017 1:05 PM
    Tuesday, May 9, 2017 1:04 PM
  • if your computers are joined to domain, I have written a powershell script that tracks the user logon history. Unfortunately, I haven't had time to update the script to include the logoff information. Check the script from the below link.

    Sunday, May 28, 2017 7:14 PM
  • Thanks will give it a try.:-)
    Monday, July 17, 2017 1:27 PM