Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User Logon/Logoff Information using Powershell

Tags:

powershell

I want to be able to check a remote computer's user logon/logoff sessions and times and I have the following code that I got from stackoverflow, but I cannot figure out how to tell the script to check a remote computer:

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier  
$_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}

Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty

I did do throw in a $Computername variable and a Foreach loop statment like in the following to try and get it to run on a remote computer, but it keeps checking the local system that I am on, not the remote system:

$Computername = Read-Host "Enter Computername Here"

Foreach $Computer in $Computername

    {
        $UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
        $TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
        $TimeProeprty = @{n="Time";e={$_.TimeGenerated}}

        Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty
    }
like image 973
MrRatzlaff Avatar asked Mar 13 '26 00:03

MrRatzlaff

1 Answers

I know this is an old question, but no answer was ever accepted. One of the problems is that the script doesn't show which machine the user was logged into. Anyway, I fixed it up (including the typo).

Get-LogonHistory.ps1:

param(
    [alias("CN")]
    $ComputerName="localhost"
)

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachinenName";e={$_.MachineName}}

foreach ($computer in $ComputerName) {
    Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
}

With this, it will show which machine the user logged into. Multiple remote computers can be passed into the command line with commas between each (no spaces).

like image 82
supercheetah Avatar answered Mar 14 '26 17:03

supercheetah
Sign in to Comment

Related questions

How to get the creation date of Azure RM Resources including all resources from Azure
Windows PowerShell Command To List Group Members - Fine-Tuning
Powershell exception stopping execution even with try/catch
How to install web deploy using PowerShell using Complete Installation Selection
How to use backslash character as a literal in PowerShell? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!