none
Requesting PowerShell Assistance - File Last access time/user RRS feed

  • Question

  • I'm creating a script that tracks file ownership/size/last access.  So far I have this: 

    Get-ChildItem -Path "c:\DB\Users" -Recurse -File | Select-Object name,@{n="size";e={$_.length/1kb}},@{n="owner";e={(get-acl $_.fullname).owner}}

    I can't seem to get how to add "last access" and by user.  Can this be done??

    Many Thanks in Advance!!!!!

    -Steve

    Monday, May 13, 2019 8:52 PM

Answers

  • No.  Access is not tracked by who accessed the file.  To do that you would need to configure file auditing.

    "LastAccess" is "LastAccessTime"


    \_(ツ)_/

    Monday, May 13, 2019 9:03 PM
  • Last access isn't stored in the file table. The only way to get that information is by configuring File Object Auditing and regularly scanning that. https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html covers the file auditing setup process. You would then need to examine the event logs for success events on read attempts to view who used the file and when. get-eventlog would be the cmdlet you would use, but understand that the audit logs can get filled up fast, so it's important to have your script regularly scanning logs for this information. Or you can use Manage Engine's DataSecurity+ tool for automating much of this work and storing it for extended retrieval. https://www.manageengine.com/data-security/file-audit/file-server-auditing.html
    Monday, May 13, 2019 9:06 PM
  • Get-ChildItem -Path c:\DB\Users -Recurse -File | 
        Select-Object name, LastAccessTime,
                      @{ n = 'size'; e = { $_.length/1kb } }, 
                      @{ n = 'owner'; e = { $_.GetAccessControl().Owner} }
    $props = @(
        'name',
        'LastAccessTime',
         @{n='size';  e={$_.length/1kb}},
         @{n='owner'; e={$_.GetAccessControl().Owner}}
    )
    Get-ChildItem -Path c:\DB\Users -Recurse -File | Select-Object $props



    \_(ツ)_/


    • Edited by jrv Monday, May 13, 2019 9:10 PM
    • Marked as answer by Stephen McLaughlin Thursday, May 16, 2019 7:14 PM
    Monday, May 13, 2019 9:07 PM
  • Last access isn't stored in the file table. The only way to get that information is by configuring File Object Auditing and regularly scanning that. https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html covers the file auditing setup process. You would then need to examine the event logs for success events on read attempts to view who used the file and when. get-eventlog would be the cmdlet you would use, but understand that the audit logs can get filled up fast, so it's important to have your script regularly scanning logs for this information. Or you can use Manage Engine's DataSecurity+ tool for automating much of this work and storing it for extended retrieval. https://www.manageengine.com/data-security/file-audit/file-server-auditing.html

    You will need to use Get-WinEvent and use an XPath or XML query to extract the required information.

    The key to auditing is to only audit files that you really must know about.  Auditing a few files or  a small folder is not a load.

    To audit large numbers of files we would use a subscription to capture the records and a taks the archives the subscription folder as often as necessary,

    Yes.  Third party tools can simplify this and add many more useful tools that do not require scripting or any deep technical knowledge.  They also provide excellent security alerts, auditing of system events and changes and a good selection of reports.


    \_(ツ)_/

    Monday, May 13, 2019 9:15 PM

All replies

  • No.  Access is not tracked by who accessed the file.  To do that you would need to configure file auditing.

    "LastAccess" is "LastAccessTime"


    \_(ツ)_/

    Monday, May 13, 2019 9:03 PM
  • Last access isn't stored in the file table. The only way to get that information is by configuring File Object Auditing and regularly scanning that. https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html covers the file auditing setup process. You would then need to examine the event logs for success events on read attempts to view who used the file and when. get-eventlog would be the cmdlet you would use, but understand that the audit logs can get filled up fast, so it's important to have your script regularly scanning logs for this information. Or you can use Manage Engine's DataSecurity+ tool for automating much of this work and storing it for extended retrieval. https://www.manageengine.com/data-security/file-audit/file-server-auditing.html
    Monday, May 13, 2019 9:06 PM
  • Get-ChildItem -Path c:\DB\Users -Recurse -File | 
        Select-Object name, LastAccessTime,
                      @{ n = 'size'; e = { $_.length/1kb } }, 
                      @{ n = 'owner'; e = { $_.GetAccessControl().Owner} }
    $props = @(
        'name',
        'LastAccessTime',
         @{n='size';  e={$_.length/1kb}},
         @{n='owner'; e={$_.GetAccessControl().Owner}}
    )
    Get-ChildItem -Path c:\DB\Users -Recurse -File | Select-Object $props



    \_(ツ)_/


    • Edited by jrv Monday, May 13, 2019 9:10 PM
    • Marked as answer by Stephen McLaughlin Thursday, May 16, 2019 7:14 PM
    Monday, May 13, 2019 9:07 PM
  • Last access isn't stored in the file table. The only way to get that information is by configuring File Object Auditing and regularly scanning that. https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html covers the file auditing setup process. You would then need to examine the event logs for success events on read attempts to view who used the file and when. get-eventlog would be the cmdlet you would use, but understand that the audit logs can get filled up fast, so it's important to have your script regularly scanning logs for this information. Or you can use Manage Engine's DataSecurity+ tool for automating much of this work and storing it for extended retrieval. https://www.manageengine.com/data-security/file-audit/file-server-auditing.html

    You will need to use Get-WinEvent and use an XPath or XML query to extract the required information.

    The key to auditing is to only audit files that you really must know about.  Auditing a few files or  a small folder is not a load.

    To audit large numbers of files we would use a subscription to capture the records and a taks the archives the subscription folder as often as necessary,

    Yes.  Third party tools can simplify this and add many more useful tools that do not require scripting or any deep technical knowledge.  They also provide excellent security alerts, auditing of system events and changes and a good selection of reports.


    \_(ツ)_/

    Monday, May 13, 2019 9:15 PM
  • Thanks
    Tuesday, May 14, 2019 1:03 PM
  • Thanks, I will look into this.
    Tuesday, May 14, 2019 1:03 PM
  • Awesome!!!  Thanks for script update.  
    Tuesday, May 14, 2019 1:05 PM
  • Excellent explanation, thank you.  
    Tuesday, May 14, 2019 1:05 PM
  • Please mark the answer that helped and not your own response.


    \_(ツ)_/

    Tuesday, May 14, 2019 2:35 PM
  • Done

    Thursday, May 16, 2019 7:14 PM