I'm building a script that is going to remove user folders (C:\Users) of those who have not logged in in the last 30 days. I am able to get the information but the output will give me multiple of copies of the same people. Example: johnd and janed have logged
into this computer 10 times, so the output of this script will list those usernames 10 times each. I want to get a list that shows the user 1 time. I hope that I'm clear enough on this stuff but feel free to ask questions.
Write-Host "Setting up..." -ForegroundColor Yellow
Write-Host "Checking for administrative rights..." -ForegroundColor Yellow
## Get the ID and security principal of the current user account.
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent();
$myWindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($myWindowsID);
## Get the security principal for the administrator role.
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator;
## Check to see if we are currently running as an administrator.
if ($myWindowsPrincipal.IsInRole($adminRole))
{
## We are running as an administrator, so change the title and background colour to indicate this.
Write-Host "We are running as administrator, changing the title to indicate this." -ForegroundColor Green
$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)";
}
else
{
Write-Host "We are not running as administrator. Relaunching as administrator." -ForegroundColor Yellow
## We are not running as admin, so relaunch as admin.
$NewProcess = New-Object System.Diagnostics.ProcessStartInfo "PowerShell";
## Specify the current script path and name as a parameter with added scope and support for scripts with spaces in it's path.
$NewProcess.Arguments = "& '" + $script:MyInvocation.MyCommand.Path + "'"
## Indicate that the process should be elevated.
$NewProcess.Verb = "runas";
## Start the new process
[System.Diagnostics.Process]::Start($newProcess);
## Exit from the current, unelevated, process.
Exit;
}
Write-Host "Continuing with setup..." -ForegroundColor Yellow
function Get-LogonHistory
{
$30days = (Get-Date).AddDays(-30)
$logons = Get-EventLog Security -AsBaseObject -InstanceId 4624, 4647 -After $30days |
Where-Object {
($_.InstanceId -eq 4647) `
-or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) `
-or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10"))
}
$events = $logons | Sort-Object TimeGenerated
if ($events)
{
foreach ($event in $events)
{
## Parse logon data from the Event.
if ($event.InstanceId -eq 4624)
{
## A user logged on.
$action = 'logon'
$event.Message -match "Logon Type:\s+(\d+)" | Out-Null
$logonTypeNum = $matches[1]
## Determine logon type.
if ($logonTypeNum -eq 2)
{
$logonType = 'console'
}
elseif ($logonTypeNum -eq 10)
{
$logonType = 'remote'
}
else
{
$logonType = 'other'
}
## Determine user.
if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)")
{
$user = $matches[1]
}
else
{
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
}
}
elseif ($event.InstanceId -eq 4647)
{
## A user logged off.
$action = 'logoff'
$logonType = $null
## Determine user.
if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)")
{
$user = $matches[1]
}
else
{
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
}
}
elseif ($event.InstanceId -eq 41)
{
## The computer crashed.
$action = 'logoff'
$logonType = $null
$user = '*'
}
## As long as we managed to parse the Event, print output.
if ($user)
{
$output = New-Object -Type PSCustomObject
Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
Write-Output $output
}
}
}
else
{
Write-Host "No recent logon/logoff events."
}
}
Get-LogonHistory
ForEach ($u in $User)
{
Remove-Item -Path C:\Users\ -Exclude *admin*, *helion*, *default*, Public -WhatIf
}
Write-Warning "Press any key to continue...";
$x = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown");
