Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1139
  • Last Modified:

PowerShell Script to get Last Logon of User

I recently found a PowerShell script that I'm wanting to use to get a list of the most current computers a user is logged into.  The script looks at a domain controller's security logs for this information.  Is there a way to tweak this script so it looks at multiple domain controllers rather than just one?

Here's the script:
function Get-UserComputerName { 
    <# 
.SYNOPSIS 
   Searches a specified Domain Controller for the computername of a logged on user.   
.DESCRIPTION 
   Queries a DC for Event ID 4768 (Kerberos authentication ticket,TGT) request from the servers Security 
   event log. 
.PARAMETER UserName 
   SamAccount name of the user to search for 
.EXAMPLE 
   PS> .\Get-UserComputerName -UserName "John_Doe" -Server "My_DC" 
   Searches for user John_Doe on Domain Controller My_DC 
.EXAMPLE 
    PS> .\Get-UserComputerName -Username "John_Doe" 
    Searches for user John_Doe using the logged on server name for the current user 
    running the script.  
.EXAMPLE  
    PS> .\Get-UserComputerName  
    Searches the current user on the logged on server name 
#> 
 
    param([string]$username = $env:username,[string]$server = $env:logonserver) 
    $ErrorActionPreference = "silentlycontinue" 
    if ($server.StartsWith("\\dc")) {$server = $server.Remove(0,2)} 
 
    $events = Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashTable @{logname="security";id=4768;data=$username} 
    # Check if error has been raised from EventLog Query. 
    if (!$?) {Write-Warning "No successful logon events were found on Server: $server for Username: $username"  
        break 
    } 
 
    foreach ($event in $events) { 
        $myObject = New-Object -TypeName system.Object 
        [string]$Computer = $event.message.split("`n") | Select-String "Client Address" 
        $addressLine = $computer.replace("Client Address:",'') 
        $addressLine = $addressLine.trim() 
        if ($addressLine.startswith("::ffff:")) { $address = $addressLine.replace("::ffff:",'') } 
        $DNSResult = [system.Net.Dns]::Resolve($address) 
        $ComputerName = $DNSResult.HostName 
        $timeStamp = $event.timecreated 
 
        $myObject | Add-Member -MemberType noteproperty -Name AuthDC -Value $server 
        $myObject | Add-Member -MemberType noteproperty -Name TimeStamp -Value $timeStamp 
        $myObject | Add-Member -MemberType noteproperty -Name UserName -Value $username 
        $myObject | Add-Member -MemberType noteproperty -Name IPAddress -Value $address 
        $myObject | Add-Member -MemberType noteproperty -Name ComputerName -Value $computerName 
        $myObject 
    } 
}

Open in new window

0
Sedgwick_County
Asked:
Sedgwick_County
1 Solution
 
SubsunCommented:
I presume the code which you posted works for you on single DC. If yes, here is the modified version of your code..
function Get-UserComputerName { 
    <# 
.SYNOPSIS 
   Searches a specified Domain Controller for the computername of a logged on user.   
.DESCRIPTION 
   Queries a DC for Event ID 4768 (Kerberos authentication ticket,TGT) request from the servers Security 
   event log. 
.PARAMETER UserName 
   SamAccount name of the user to search for 
.EXAMPLE 
   PS> .\Get-UserComputerName -UserName "John_Doe" -Server "My_DC" 
   Searches for user John_Doe on Domain Controller My_DC 
.EXAMPLE 
    PS> .\Get-UserComputerName -Username "John_Doe" 
    Searches for user John_Doe using the logged on server name for the current user 
    running the script.  
.EXAMPLE  
    PS> .\Get-UserComputerName  
    Searches the current user on the logged on server name 
#> 
 
    param([string]$username = $env:username,[string[]]$server = $env:logonserver) 
    $ErrorActionPreference = "silentlycontinue"
		$server | %{
		$server = $_
    if ($server.StartsWith("\\dc")) {$server = $server.Remove(0,2)} 
 
    $events = Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashTable @{logname="security";id=4768;data=$username} 
    # Check if error has been raised from EventLog Query. 
    if (!$?) {Write-Warning "No successful logon events were found on Server: $server for Username: $username"  
    }Else{ 
 
    foreach ($event in $events) { 
        $myObject = New-Object -TypeName system.Object 
        [string]$Computer = $event.message.split("`n") | Select-String "Client Address" 
        $addressLine = $computer.replace("Client Address:",'') 
        $addressLine = $addressLine.trim() 
        if ($addressLine.startswith("::ffff:")) { $address = $addressLine.replace("::ffff:",'') } 
        $DNSResult = [system.Net.Dns]::Resolve($address) 
        $ComputerName = $DNSResult.HostName 
        $timeStamp = $event.timecreated 
 
        $myObject | Add-Member -MemberType noteproperty -Name AuthDC -Value $server 
        $myObject | Add-Member -MemberType noteproperty -Name TimeStamp -Value $timeStamp 
        $myObject | Add-Member -MemberType noteproperty -Name UserName -Value $username 
        $myObject | Add-Member -MemberType noteproperty -Name IPAddress -Value $address 
        $myObject | Add-Member -MemberType noteproperty -Name ComputerName -Value $computerName 
        $myObject 
    }
   }
  }
}

Open in new window


Usage..
.\Get-UserComputerName -UserName "John_Doe" -Server "My_DC1","My_DC2"

Open in new window

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now