none
PowerShell Script to fetch Logon/Logoff user on particular server {Get-WinEvent} {Get-EventLog} RRS feed

  • Question

  • Hello,

    I'm looking for a script which can fetch for me a username that he/she loges in on all the servers.

    I have tried several scripts, but it doesn't fetch the information i'm looking for.

    Get-EventLog Security -ComputerName Computer  -Source Microsoft-Windows-Security-Auditing | Where {$_.InstanceID -like "4624"} | Select $UserProperty | where {$_.Username -Like "username"} | Export-Csv D:\Logon.csv -NoTypeInformation

    Or to loop through a file contains the server names and fetch the required details based on the username.

    Any help



    • Edited by hms_24 Sunday, June 1, 2014 8:33 AM
    Sunday, June 1, 2014 8:29 AM

Answers

  • Hi Hms,

    To trace logon/off history of a user accout, please also check this script, which can also query the remote computer to get the user's logon/off history:

    function get-logonhistory{
    Param (
     [string]$Computer = (Read-Host Remote computer name),
     [int]$Days = 10
     )
     cls
     $Result = @()
     Write-Host "Gathering Event Logs, this can take awhile..."
     $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $Computer
     If ($ELogs)
     { Write-Host "Processing..."
     ForEach ($Log in $ELogs)
     { If ($Log.InstanceId -eq 7001)
       { $ET = "Logon"
       }
       ElseIf ($Log.InstanceId -eq 7002)
       { $ET = "Logoff"
       }
       Else
       { Continue
       }
       $Result += New-Object PSObject -Property @{
        Time = $Log.TimeWritten
        'Event Type' = $ET
        User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
       }
     }
     $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
     Write-Host "Done."
     }
     Else
     { Write-Host "Problem with $Computer."
     Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
     Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
     }
    }
    
    
    get-logonhistory -Computer "computername" -Days "time span like 30"

    Reference from:

    How to see logon/logoff activity of a domain user?

    I hope this helps.

    Thursday, June 5, 2014 6:13 AM
    Moderator

All replies

  • whatever value is stored in the variable named "$userproperty", that will filter the output of the get-eventlog cmdlet to include only the indicated property or properties. The where {$_.username...} will filter out all records because that field is empty in those particular records - i.e. it does not refer to the username about whom the log record provides information.

    If you want that info you will need to refer to the replacementstrings property (an array). Try this out:

    Get-EventLog security -source microsoft-windows-security-auditing  |
        where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'username')} | 
        select * | ogv
    
    

    the "select will show you all of the available properties, some of which may be of use to you.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Sunday, June 1, 2014 6:44 PM
  • Hi Hms,

    To trace logon/off history of a user accout, please also check this script, which can also query the remote computer to get the user's logon/off history:

    function get-logonhistory{
    Param (
     [string]$Computer = (Read-Host Remote computer name),
     [int]$Days = 10
     )
     cls
     $Result = @()
     Write-Host "Gathering Event Logs, this can take awhile..."
     $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $Computer
     If ($ELogs)
     { Write-Host "Processing..."
     ForEach ($Log in $ELogs)
     { If ($Log.InstanceId -eq 7001)
       { $ET = "Logon"
       }
       ElseIf ($Log.InstanceId -eq 7002)
       { $ET = "Logoff"
       }
       Else
       { Continue
       }
       $Result += New-Object PSObject -Property @{
        Time = $Log.TimeWritten
        'Event Type' = $ET
        User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
       }
     }
     $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
     Write-Host "Done."
     }
     Else
     { Write-Host "Problem with $Computer."
     Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
     Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
     }
    }
    
    
    get-logonhistory -Computer "computername" -Days "time span like 30"

    Reference from:

    How to see logon/logoff activity of a domain user?

    I hope this helps.

    Thursday, June 5, 2014 6:13 AM
    Moderator
  • Hi AnnaWY,

    Script is looks good. But i need to add more columns like network address as i mentioned below and export to csv file. could you please help me on this.

    

    Thanks

    SVB


    • Edited by VBRS Friday, January 11, 2019 12:56 AM
    Friday, January 11, 2019 12:55 AM
  • Please do not add additional questions to other peoples threads. Create a new thread for your question and place a link to this one if needed.


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''

    Friday, January 11, 2019 1:07 AM
  • Hello,

    I need powershell scripting help to fetch data just like above like username, logon date, networkip (request coming from).

    could you please help me on this script.

    thanks in advance.

    VBRS

    Monday, January 14, 2019 11:47 PM
  • Please do not add additional questions to other peoples threads. Create a new thread for your question and place a link to this one if needed.

    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''

    Tuesday, January 15, 2019 12:02 AM