Solved

Powershell: Export the last x computers a user logged into

Posted on 2013-01-25
4
936 Views
Last Modified: 2013-01-25
If possible, can someone please provide a Powershell script that will show the last x computers a specified user (or a list of users from a txt file) has logged into; then export to csv?

We are running our Domain controllers on Server 2003 and please no 3rd party cmdlets if possible.

Thanks,

A.
0
Comment
Question by:Angeal
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Dave earned 500 total points
ID: 38819409
I am note sure this is the right way to attack this problem. As there is no history in Active Directory you are going to have to trawl the event logs on the domain controllers. As the computer name is only stored in the event body you will need do lots of searching.

Also by default logon failures are recorded so you will need to change the policy to audit logon successfull events.  If a user hasn't logged onto 5 computers you will end up trawling the logs on all servers.

You might want to consider setting up a logon script that saves this info in a flat file on a share thats publically accessible. So if the logon file contains something like :-

Echo %computername%,%date%,%time%  >>\\server\logons\%username%.csv

then you will get a file for each user with a line for each logon.
0
 

Author Comment

by:Angeal
ID: 38819575
That's a great idea. Thanks g4ugm!
0
 
LVL 12

Expert Comment

by:Dave
ID: 38819784
By the way if you have 2003 servers and want to scan for logon events this kind of does the trick but may need some tweaking. Replace the "dcs" with the dcs you want to scan and put the user id in further down. It will stop scanning after it finds five events on each DC, but will run for a long time if it doesn't. You could add -before and -after arguments to scan a subset of the event logs. The split code may also need some tweaking

$DCs = @("DC1","DC2","DC3")
$now = Get-Date
$userid = "userid"
Write-Host "Scan Started $now"

foreach ($dc in $DCs) {
    $count = 5
    Write-Host "Polling $dc"
    $time = "{0:yyyy-MM-dd_HH.mm.ss}" -f (get-date)
    Get-EventLog -ComputerName $dc -LogName "Security" -Instanceid 680 -message ("*" + $Userid + "*") |
        Foreach-object {
                    $lines=$_.message.split(":")
                    $line = $lines[3].split()
                    $_.Timegenerated , $line[6]
                    $count = $count - 1
                    if ( $count -lt 1 ) {break}
                             
    }
# Export-CSV -NoTypeInformation -Path "EventLogSearch_$dc_$time.csv"
$now = Get-Date
Write-Host "$dc scan finished $now"
}

Write-Host "Whole Scan finished $now"
0
 

Author Comment

by:Angeal
ID: 38819791
Awesome. Thanks for your time G4ugm. I will try it out.

A.
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now