Link to home
Start Free TrialLog in
Avatar of Sedgwick_County
Sedgwick_CountyFlag for United States of America

asked on

PowerShell Script to get Last Logon of User

I recently found a PowerShell script that I'm wanting to use to get a list of the most current computers a user is logged into.  The script looks at a domain controller's security logs for this information.  Is there a way to tweak this script so it looks at multiple domain controllers rather than just one?

Here's the script:
function Get-UserComputerName { 
    <# 
.SYNOPSIS 
   Searches a specified Domain Controller for the computername of a logged on user.   
.DESCRIPTION 
   Queries a DC for Event ID 4768 (Kerberos authentication ticket,TGT) request from the servers Security 
   event log. 
.PARAMETER UserName 
   SamAccount name of the user to search for 
.EXAMPLE 
   PS> .\Get-UserComputerName -UserName "John_Doe" -Server "My_DC" 
   Searches for user John_Doe on Domain Controller My_DC 
.EXAMPLE 
    PS> .\Get-UserComputerName -Username "John_Doe" 
    Searches for user John_Doe using the logged on server name for the current user 
    running the script.  
.EXAMPLE  
    PS> .\Get-UserComputerName  
    Searches the current user on the logged on server name 
#> 
 
    param([string]$username = $env:username,[string]$server = $env:logonserver) 
    $ErrorActionPreference = "silentlycontinue" 
    if ($server.StartsWith("\\dc")) {$server = $server.Remove(0,2)} 
 
    $events = Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashTable @{logname="security";id=4768;data=$username} 
    # Check if error has been raised from EventLog Query. 
    if (!$?) {Write-Warning "No successful logon events were found on Server: $server for Username: $username"  
        break 
    } 
 
    foreach ($event in $events) { 
        $myObject = New-Object -TypeName system.Object 
        [string]$Computer = $event.message.split("`n") | Select-String "Client Address" 
        $addressLine = $computer.replace("Client Address:",'') 
        $addressLine = $addressLine.trim() 
        if ($addressLine.startswith("::ffff:")) { $address = $addressLine.replace("::ffff:",'') } 
        $DNSResult = [system.Net.Dns]::Resolve($address) 
        $ComputerName = $DNSResult.HostName 
        $timeStamp = $event.timecreated 
 
        $myObject | Add-Member -MemberType noteproperty -Name AuthDC -Value $server 
        $myObject | Add-Member -MemberType noteproperty -Name TimeStamp -Value $timeStamp 
        $myObject | Add-Member -MemberType noteproperty -Name UserName -Value $username 
        $myObject | Add-Member -MemberType noteproperty -Name IPAddress -Value $address 
        $myObject | Add-Member -MemberType noteproperty -Name ComputerName -Value $computerName 
        $myObject 
    } 
}

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of SubSun
SubSun
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial