Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Powershell: Export the last x computers a user logged into

Posted on 2013-01-25
4
Medium Priority
?
950 Views
Last Modified: 2013-01-25
If possible, can someone please provide a Powershell script that will show the last x computers a specified user (or a list of users from a txt file) has logged into; then export to csv?

We are running our Domain controllers on Server 2003 and please no 3rd party cmdlets if possible.

Thanks,

A.
0
Comment
Question by:Angeal
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Dave earned 2000 total points
ID: 38819409
I am note sure this is the right way to attack this problem. As there is no history in Active Directory you are going to have to trawl the event logs on the domain controllers. As the computer name is only stored in the event body you will need do lots of searching.

Also by default logon failures are recorded so you will need to change the policy to audit logon successfull events.  If a user hasn't logged onto 5 computers you will end up trawling the logs on all servers.

You might want to consider setting up a logon script that saves this info in a flat file on a share thats publically accessible. So if the logon file contains something like :-

Echo %computername%,%date%,%time%  >>\\server\logons\%username%.csv

then you will get a file for each user with a line for each logon.
0
 

Author Comment

by:Angeal
ID: 38819575
That's a great idea. Thanks g4ugm!
0
 
LVL 12

Expert Comment

by:Dave
ID: 38819784
By the way if you have 2003 servers and want to scan for logon events this kind of does the trick but may need some tweaking. Replace the "dcs" with the dcs you want to scan and put the user id in further down. It will stop scanning after it finds five events on each DC, but will run for a long time if it doesn't. You could add -before and -after arguments to scan a subset of the event logs. The split code may also need some tweaking

$DCs = @("DC1","DC2","DC3")
$now = Get-Date
$userid = "userid"
Write-Host "Scan Started $now"

foreach ($dc in $DCs) {
    $count = 5
    Write-Host "Polling $dc"
    $time = "{0:yyyy-MM-dd_HH.mm.ss}" -f (get-date)
    Get-EventLog -ComputerName $dc -LogName "Security" -Instanceid 680 -message ("*" + $Userid + "*") |
        Foreach-object {
                    $lines=$_.message.split(":")
                    $line = $lines[3].split()
                    $_.Timegenerated , $line[6]
                    $count = $count - 1
                    if ( $count -lt 1 ) {break}
                             
    }
# Export-CSV -NoTypeInformation -Path "EventLogSearch_$dc_$time.csv"
$now = Get-Date
Write-Host "$dc scan finished $now"
}

Write-Host "Whole Scan finished $now"
0
 

Author Comment

by:Angeal
ID: 38819791
Awesome. Thanks for your time G4ugm. I will try it out.

A.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question