none
Obtaining Partial Information - Powershell RRS feed

  • Question

  • Hey guys! So my problem is that I'm trying to pull a list of display names of the last users logged in from a list of machines. The only way I know of how to do this is to pull the username from the registry and run an ADUC query with the username to pull their display names. However, the registry specifies domain\username instead of just the username so the ADUC query doesn't work. Is there a way to leave the domain off or to take it off? The code I have so far is this:

    $list = Get-content targets.txt
    Foreach($_ in $list) {
        $UserED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnUser
        $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUser
        $SamUser = Get-ADUser ($SAMED).Data -properties *
        $User = Get-ADUser ($UserED).Data -properties *
            @('Name','LastAccessedEDIPI','LastUserAccessed''LastLoggedOnEDIPI''LastUserLoggedOn')
            New-Object PSObject -Property @{
                Name = ($SAMED).ComputerName
                LastAccessedEDIPI = ($UserED).Data
                LastUserAccessed = ($User).DisplayName
                LastLoggedOnEDIPI = ($SAMED).Data
                LastUserLoggedOn = ($SAMUser).DisplayName
            } | Export-csv Results.csv -notypeinformation -append}

    Any ideas?

    Friday, November 21, 2014 2:41 PM

Answers

  • Try:

    $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUse
    $SAMED = $SAMED.split('\')[1]


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by McCoid1017 Friday, November 21, 2014 4:31 PM
    Friday, November 21, 2014 3:01 PM
    Moderator

All replies

  • Try:

    $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUse
    $SAMED = $SAMED.split('\')[1]


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by McCoid1017 Friday, November 21, 2014 4:31 PM
    Friday, November 21, 2014 3:01 PM
    Moderator
  • I think this would probably work as well: 

    $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUse | split-path -leaf

    Friday, November 21, 2014 3:13 PM
  • This seems to work however when I plug it into a script it returns null values. Here's what I have now:

    $list = Get-content targets.txt
    Foreach($_ in $list) {
        $UserED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnUser
        $UserEDcon = (($UserED).Data).Split('\')[1]
        $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUser
        $SAMEDcon = (($SAMED).Data).Split('\')[1]
        $SamUser = Get-ADUser ($SAMEDcon).Data -properties *
        $User = Get-ADUser ($UserEDcon).Data -properties *
            @('Name','LastAccessedEDIPI','LastUserAccessed''LastLoggedOnEDIPI''LastUserLoggedOn')
            New-Object PSObject -Property @{
                Name = ($SAMED).ComputerName
                LastAccessedEDIPI = ($UserED).Data
                LastUserAccessed = ($User).DisplayName
                LastLoggedOnEDIPI = ($SAMED).Data
                LastUserLoggedOn = ($SAMUser).DisplayName
            } | Export-csv Results.csv -notypeinformation -append}
    If I do the split without using variables it works perfectly. But as soon as I use variables, it seems to empty or not assign them correctly. What do you think is going on?

    Friday, November 21, 2014 4:06 PM
  • Not sure.  Get-RegValue appears to be a function that's not included with the posted code, so it's impossible to test.

    Other than that, while this technically will work:

    Foreach($_ in $list) 

    Using $_ like that is very bad practice.  $_ is an automatic variable reserved for use in the pipeline.  You should use a user-defined variable, like $computername as the enumerator in a Foreach loop:

    Foreach($computername in $list) 


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Friday, November 21, 2014 4:15 PM
    Moderator
  • Does this work any better?

    $list = Get-content targets.txt | % { $UserED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnUser | split-path -leaf $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUser | split-path -leaf $SamUser = Get-ADUser $SAMED -properties * $User = Get-ADUser $UserED -properties * New-Object PSObject -Property @{ Name = $_ LastAccessedEDIPI = $UserED LastUserAccessed = $User.DisplayName LastLoggedOnEDIPI = $SAMED LastUserLoggedOn = $SAMUser.DisplayName }

    } | Export-csv Results.csv -notypeinformation -append



    • Edited by Braham20 Friday, November 21, 2014 4:46 PM
    Friday, November 21, 2014 4:16 PM
  • I figured it out... I forgot to take the ".Data" off of the new variable I created -_-

    $list = Get-content targets.txt
    Foreach($_ in $list) {
        $UserED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnUser
        $UserEDcon = (($UserED).Data).Split('\')[1]
        $SAMED = Get-RegValue -ComputerName $_ -Key Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -Value LastLoggedOnSAMUser
        $SAMEDcon = (($SAMED).Data).Split('\')[1]
        $SamUser = Get-ADUser $SAMEDcon -properties *
        $User = Get-ADUser $UserEDcon -properties *
            @('Name','LastAccessedEDIPI','LastUserAccessed''LastLoggedOnEDIPI''LastUserLoggedOn')
            New-Object PSObject -Property @{
                Name = ($SAMED).ComputerName
                LastAccessedEDIPI = ($UserED).Data
                LastUserAccessed = ($User).DisplayName
                LastLoggedOnEDIPI = ($SAMED).Data
                LastUserLoggedOn = ($SAMUser).DisplayName
            } | Export-csv Results.csv -notypeinformation -append}
    Here is the code for the working product. Thanks for all the help! :)
    Friday, November 21, 2014 4:32 PM