locked
Last logon details of computers RRS feed

  • Question

  • Hello Guys,

    Require your help here. 

    I want anyone who has logged in that machine (hostname) in the last one month, should be shown with his user name and timestamp. If same user has logged in multiple times in that month, then latest logged in timestamp is needed. If different users have logged in then all those names with their latest logged in timestamp is needed. 

    Through below script, I can able to fetch data but it is not as expected.  

    Import-Csv C:\comps1.csv | %{Get-WinEvent -FilterHa
    shtable @{logname='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id=21; StartTime="1/2/18"} | select TimeCreated, machinename, message | Format-Table -wrap }





    Thanks, Chinmay.

    Monday, February 12, 2018 3:54 PM

Answers

  • I got required output through below command. 

    Import-Csv .\comps1.csv | % -Process { $ComputerName = $_.ComputerName

    Get-ULogged -After 01/02/2018 -Before 02/15/2018 -ComputerName $ComputerName | select User, LoggedInAt, @{L="Computer";E={$ComputerName}}}>>test.csv


    Thanks, Chinmay.

    Sunday, March 4, 2018 6:29 AM

All replies

  • If you enable logging of logon events, you can query the system logs. But the logs may not retain 30 days of events. Another option is a logon script, perhaps configured in Group Policy, that appends a line to a shared log file at each logon. The script would output user name, computer name, date and time. It could be as simple as a batch file. For example:

    @echo off
    echo %date% %time%,%UserName%,%ComputerName% >> \\MyServer\MyShare\LogUsers.log
    

    The resulting log file is comma delimited, so it can be read into Excel for filtering.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, February 12, 2018 4:44 PM
  • Is this the kind of output you're after?

    I've adapted this from a snippet to retrieve the log on and off history from a workstation for the last XX days.

    $Results = @()
    $Logs = Get-EventLog System -Source Microsoft-Windows-WinLogon -InstanceId 7001 
    Foreach($log in $Logs) 
    {
        $Results += New-Object PSObject -Property @{
            'Time' = $Log.TimeWritten
            'Workstation' = $log.MachineName
            'Event Type' = 'Logon'
            'User' = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
        } # End result Object
    } # End If
    $Results | Sort-Object -Property User -Unique | Sort Time -Descending | Format-Table








    • Edited by -Jacob- Monday, February 12, 2018 7:29 PM Updated as it was only returning one result rather than one result per user.
    Monday, February 12, 2018 6:59 PM
  • I got required output through below command. 

    Import-Csv .\comps1.csv | % -Process { $ComputerName = $_.ComputerName

    Get-ULogged -After 01/02/2018 -Before 02/15/2018 -ComputerName $ComputerName | select User, LoggedInAt, @{L="Computer";E={$ComputerName}}}>>test.csv


    Thanks, Chinmay.

    Sunday, March 4, 2018 6:29 AM