none
looking for last login user on a remote computer RRS feed

  • Question

  • how do I find the last logon user whether its remotely or interactly on a remote server?

    Get-WinEvent -Computer xxxx -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 1000  | select @{N='Username'; E={$_.Properties[5].Value}}, @{N='LogonType'; E={$_.Properties[8].Value}}, timecreated

    Should it be ID 4624 or something else? 


    • Edited by JonDoe321 Thursday, June 13, 2019 8:55 PM
    Thursday, June 13, 2019 8:54 PM

All replies

  • Return only 1 event.  It will be the last event that matches the filter.  You will have to use an XML query to specify the logon type.

    Search for blog articles with examples of how to do this.


    \_(ツ)_/

    Thursday, June 13, 2019 9:01 PM
  • is there something wrong with the above query? It outputs the info but not sure if they is a better one
    Friday, June 14, 2019 2:02 PM
  • If what you posted is what you want then what is the question?

    \_(ツ)_/

    Friday, June 14, 2019 2:05 PM
  • getting this error on a win2008 machine

    Get-WinEvent -ComputerName xxx -FilterHashtable @{logname='security';id=4740}

    Get-WinEvent : The parameter is incorrect
    At line:1 char:13
    + Get-WinEvent <<<<  -ComputerName xxx -FilterHashtable @{logname='security';id=4740}
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand

    Tuesday, July 2, 2019 12:50 PM
  • For this to work the computer queried must have the current version of the Net Framework installed.

    \_(ツ)_/

    Tuesday, July 2, 2019 12:55 PM