Solved

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Posted on 2016-09-01
26
105 Views
Last Modified: 2016-09-01
How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
0
Comment
Question by:john lambert
  • 14
  • 11
26 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41779783
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
LVL 16

Expert Comment

by:Spike99
ID: 41779901
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41779954
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:john lambert
ID: 41780088
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780099
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 

Author Comment

by:john lambert
ID: 41780108
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780118
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 

Author Comment

by:john lambert
ID: 41780122
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780139
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 

Author Comment

by:john lambert
ID: 41780161
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780166
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 

Author Comment

by:john lambert
ID: 41780167
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 

Author Comment

by:john lambert
ID: 41780170
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
 

Author Comment

by:john lambert
ID: 41780194
how to modify the script to output.txt file?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780202
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780206
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 

Author Comment

by:john lambert
ID: 41780212
i test and is working perfect,thank you...
0
 

Author Comment

by:john lambert
ID: 41780226
script working fine
0
 

Author Comment

by:john lambert
ID: 41780228
and modify script to see only the suers who logged TODAY?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41780270
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 

Author Comment

by:john lambert
ID: 41780286
oh yess thankssssssssssss
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780308
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 

Author Closing Comment

by:john lambert
ID: 41780388
thank you
0
 

Author Comment

by:john lambert
ID: 41780391
ok i close it thanks , do u know things about regex codes?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780449
not an expert in regex but can help with simple issues.. why?
0
 

Author Comment

by:john lambert
ID: 41780467
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question