Solved

Powershell: Export the last x computers a user logged into

Posted on 2013-01-25
4
943 Views
Last Modified: 2013-01-25
If possible, can someone please provide a Powershell script that will show the last x computers a specified user (or a list of users from a txt file) has logged into; then export to csv?

We are running our Domain controllers on Server 2003 and please no 3rd party cmdlets if possible.

Thanks,

A.
0
Comment
Question by:Angeal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Dave earned 500 total points
ID: 38819409
I am note sure this is the right way to attack this problem. As there is no history in Active Directory you are going to have to trawl the event logs on the domain controllers. As the computer name is only stored in the event body you will need do lots of searching.

Also by default logon failures are recorded so you will need to change the policy to audit logon successfull events.  If a user hasn't logged onto 5 computers you will end up trawling the logs on all servers.

You might want to consider setting up a logon script that saves this info in a flat file on a share thats publically accessible. So if the logon file contains something like :-

Echo %computername%,%date%,%time%  >>\\server\logons\%username%.csv

then you will get a file for each user with a line for each logon.
0
 

Author Comment

by:Angeal
ID: 38819575
That's a great idea. Thanks g4ugm!
0
 
LVL 12

Expert Comment

by:Dave
ID: 38819784
By the way if you have 2003 servers and want to scan for logon events this kind of does the trick but may need some tweaking. Replace the "dcs" with the dcs you want to scan and put the user id in further down. It will stop scanning after it finds five events on each DC, but will run for a long time if it doesn't. You could add -before and -after arguments to scan a subset of the event logs. The split code may also need some tweaking

$DCs = @("DC1","DC2","DC3")
$now = Get-Date
$userid = "userid"
Write-Host "Scan Started $now"

foreach ($dc in $DCs) {
    $count = 5
    Write-Host "Polling $dc"
    $time = "{0:yyyy-MM-dd_HH.mm.ss}" -f (get-date)
    Get-EventLog -ComputerName $dc -LogName "Security" -Instanceid 680 -message ("*" + $Userid + "*") |
        Foreach-object {
                    $lines=$_.message.split(":")
                    $line = $lines[3].split()
                    $_.Timegenerated , $line[6]
                    $count = $count - 1
                    if ( $count -lt 1 ) {break}
                             
    }
# Export-CSV -NoTypeInformation -Path "EventLogSearch_$dc_$time.csv"
$now = Get-Date
Write-Host "$dc scan finished $now"
}

Write-Host "Whole Scan finished $now"
0
 

Author Comment

by:Angeal
ID: 38819791
Awesome. Thanks for your time G4ugm. I will try it out.

A.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question