Sedgwick_County
asked on
PowerShell Script to get Last Logon of User
I recently found a PowerShell script that I'm wanting to use to get a list of the most current computers a user is logged into. The script looks at a domain controller's security logs for this information. Is there a way to tweak this script so it looks at multiple domain controllers rather than just one?
Here's the script:
Here's the script:
function Get-UserComputerName {
<#
.SYNOPSIS
Searches a specified Domain Controller for the computername of a logged on user.
.DESCRIPTION
Queries a DC for Event ID 4768 (Kerberos authentication ticket,TGT) request from the servers Security
event log.
.PARAMETER UserName
SamAccount name of the user to search for
.EXAMPLE
PS> .\Get-UserComputerName -UserName "John_Doe" -Server "My_DC"
Searches for user John_Doe on Domain Controller My_DC
.EXAMPLE
PS> .\Get-UserComputerName -Username "John_Doe"
Searches for user John_Doe using the logged on server name for the current user
running the script.
.EXAMPLE
PS> .\Get-UserComputerName
Searches the current user on the logged on server name
#>
param([string]$username = $env:username,[string]$server = $env:logonserver)
$ErrorActionPreference = "silentlycontinue"
if ($server.StartsWith("\\dc")) {$server = $server.Remove(0,2)}
$events = Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashTable @{logname="security";id=4768;data=$username}
# Check if error has been raised from EventLog Query.
if (!$?) {Write-Warning "No successful logon events were found on Server: $server for Username: $username"
break
}
foreach ($event in $events) {
$myObject = New-Object -TypeName system.Object
[string]$Computer = $event.message.split("`n") | Select-String "Client Address"
$addressLine = $computer.replace("Client Address:",'')
$addressLine = $addressLine.trim()
if ($addressLine.startswith("::ffff:")) { $address = $addressLine.replace("::ffff:",'') }
$DNSResult = [system.Net.Dns]::Resolve($address)
$ComputerName = $DNSResult.HostName
$timeStamp = $event.timecreated
$myObject | Add-Member -MemberType noteproperty -Name AuthDC -Value $server
$myObject | Add-Member -MemberType noteproperty -Name TimeStamp -Value $timeStamp
$myObject | Add-Member -MemberType noteproperty -Name UserName -Value $username
$myObject | Add-Member -MemberType noteproperty -Name IPAddress -Value $address
$myObject | Add-Member -MemberType noteproperty -Name ComputerName -Value $computerName
$myObject
}
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.