Solved

Powershell: Export the last x computers a user logged into

Posted on 2013-01-25
4
942 Views
Last Modified: 2013-01-25
If possible, can someone please provide a Powershell script that will show the last x computers a specified user (or a list of users from a txt file) has logged into; then export to csv?

We are running our Domain controllers on Server 2003 and please no 3rd party cmdlets if possible.

Thanks,

A.
0
Comment
Question by:Angeal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Dave earned 500 total points
ID: 38819409
I am note sure this is the right way to attack this problem. As there is no history in Active Directory you are going to have to trawl the event logs on the domain controllers. As the computer name is only stored in the event body you will need do lots of searching.

Also by default logon failures are recorded so you will need to change the policy to audit logon successfull events.  If a user hasn't logged onto 5 computers you will end up trawling the logs on all servers.

You might want to consider setting up a logon script that saves this info in a flat file on a share thats publically accessible. So if the logon file contains something like :-

Echo %computername%,%date%,%time%  >>\\server\logons\%username%.csv

then you will get a file for each user with a line for each logon.
0
 

Author Comment

by:Angeal
ID: 38819575
That's a great idea. Thanks g4ugm!
0
 
LVL 12

Expert Comment

by:Dave
ID: 38819784
By the way if you have 2003 servers and want to scan for logon events this kind of does the trick but may need some tweaking. Replace the "dcs" with the dcs you want to scan and put the user id in further down. It will stop scanning after it finds five events on each DC, but will run for a long time if it doesn't. You could add -before and -after arguments to scan a subset of the event logs. The split code may also need some tweaking

$DCs = @("DC1","DC2","DC3")
$now = Get-Date
$userid = "userid"
Write-Host "Scan Started $now"

foreach ($dc in $DCs) {
    $count = 5
    Write-Host "Polling $dc"
    $time = "{0:yyyy-MM-dd_HH.mm.ss}" -f (get-date)
    Get-EventLog -ComputerName $dc -LogName "Security" -Instanceid 680 -message ("*" + $Userid + "*") |
        Foreach-object {
                    $lines=$_.message.split(":")
                    $line = $lines[3].split()
                    $_.Timegenerated , $line[6]
                    $count = $count - 1
                    if ( $count -lt 1 ) {break}
                             
    }
# Export-CSV -NoTypeInformation -Path "EventLogSearch_$dc_$time.csv"
$now = Get-Date
Write-Host "$dc scan finished $now"
}

Write-Host "Whole Scan finished $now"
0
 

Author Comment

by:Angeal
ID: 38819791
Awesome. Thanks for your time G4ugm. I will try it out.

A.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question