<div>
Use Get-WinEvent<br />
Example...<br />

<pre><code class="code-10 nolinks" id="code-20-41779783-1"><span>Get-WinEvent &quot;Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational&quot; | </span>
<span>?{$_.ID -eq &quot;1149&quot;} | %{						</span>
<span>	New-Object PSObject -Property @{</span>
<span>		MachineName = $_.MachineName</span>
<span>		TimeCreated = $_.TimeCreated</span>
<span>		User = $_.Properties[0].Value            </span>
<span>		Domain = $_.Properties[1].Value            </span>
<span>		SourceIP = $_.Properties[2].Value </span>
<span>	}</span>
<span>}| Select MachineName,TimeCreated,User,Domain,SourceIP</span>
</code></pre>
</div>


<div>
Subsun,<br />
Excellent script which worked for me, but, it gave me a huge amount of data.<br />
So, I added this to the last line to produce a CSV file:<br />
<br />
<b>| Export-Csv &lt;PATH to .csv File&gt;<br />
<br />
</b>
</div>


<div>
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
</div>


<div>
how to solve this??<br />

<blockquote>
File C:\Users\User5\Desktop\dem<wbr />o.ps1 cannot be loaded because the execution of<br />
scripts is disabled on this system. Please see &quot;get-help about_signing&quot; for mor<br />
e details.<br />
At line:1 char:32<br />
+ C:\Users\User5\Desktop\dem<wbr />o.ps1 &lt;&lt;&lt;&lt;<br />
&nbsp; &nbsp; + CategoryInfo &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: NotSpecified: (:) [], PSSecurityException<br />
&nbsp; &nbsp; + FullyQualifiedErrorId : RuntimeException<br />

</blockquote>
</div>


<div>
You need to change the powershell execution policy<br />
Open the powershell console with run as administrator and run the following command<br />

<pre><code class="code-1 nolinks" id="code-20-41780099-1"><span> Set-ExecutionPolicy remotesigned</span>
</code></pre>
</div>


<div>
can u combine all?one click and solve all??<br />
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
</div>


<div>
<blockquote>
Set-ExecutionPolicy remotesigned 
</blockquote>
is a one time task unless you have disabled it using a GPO.
</div>


<div>
can't see the usarnames:<br />

<pre><code class="code-10 nolinks" id="code-20-41780122-1"><span>MachineName : WIN-ERKU994KAAI</span>
<span>TimeCreated : 9/1/2016 6:48:42</span>
<span>User        :</span>
<span>Domain      :</span>
<span>SourceIP    : 5.15.201.100</span>
<span></span>
<span>MachineName : WIN-ERKU994KAAI</span>
<span>TimeCreated : 9/1/2016 5:39:15</span>
<span>User        :</span>
<span>Domain      :</span>
<span>SourceIP    : 5.15.203.100</span>
<span></span>
<span>MachineName : WIN-ERKU994KAAI</span>
<span>TimeCreated : 9/1/2016 3:52:45</span>
</code></pre>
</div>


<div>
Hmm.. I just checked and it works for me.. Can you post a sample log?
</div>


<div>
working for my other rdp<br />
<br />

<pre><code class="code-10 nolinks" id="code-20-41780161-1"><span>MachineName : Delphi-Prog2</span>
<span>TimeCreated : 9/1/2016 6:36:21 PM</span>
<span>User        : Administrator</span>
<span>Domain      :</span>
<span>SourceIP    : 172.93.xxx</span>
<span></span>
<span>MachineName : Delphi-Prog2</span>
<span>TimeCreated : 9/1/2016 6:36:18 PM</span>
<span>User        : Administrator</span>
<span>Domain      :</span>
<span>SourceIP    : 172.93.xxx</span>
</code></pre>
</div>


<div>
Does the event message have the complete information for &nbsp;User, Domain, Source Network Address?
</div>


<div>
yes and for my other rdp , username is empty,always <br />
<br />
Remote Desktop Services: User authentication succeeded:<br />
<br />
User: <br />
Domain: <br />
Source Network Address: 5.15.xxxx
</div>


<div>
No no &nbsp;complete information for &nbsp;User, Domain, Source Network Address<br />
I check them all &nbsp;Usernames ,Domains are empty for this rdp<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/09_w36/1114741/EasyCapture1.jpg" target="_blank" title="snapshot (88 KB)"><img alt="snapshot" class="file-block lazyload" style="max-width: 780px;" data-src="https://filedb.experts-exchange.com/incoming/2016/09_w36/1114741/EasyCapture1.jpg" /></a>
</div>


EasyCapture1.jpg

<div>
how to modify the script to output.txt file?
</div>


<div>
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
</div>


<div>
Use Export-csv to export the result...<br />

<pre><code class="code-10 nolinks" id="code-20-41780206-1"><span>Get-WinEvent &quot;Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational&quot; | </span>
<span>?{$_.ID -eq &quot;1149&quot;} | %{						</span>
<span>	New-Object PSObject -Property @{</span>
<span>		MachineName = $_.MachineName</span>
<span>		TimeCreated = $_.TimeCreated</span>
<span>		User = $_.Properties[0].Value            </span>
<span>		Domain = $_.Properties[1].Value            </span>
<span>		SourceIP = $_.Properties[2].Value </span>
<span>	}</span>
<span>}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti</span>
</code></pre>
You can open report.csv using excel.
</div>


<div>
i test and is working perfect,thank you...
</div>


<div>
and modify script to see only the suers who logged TODAY?
</div>


<div>
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
</div>


<div>
ok i close it thanks , do u know things about regex codes?
</div>


<div>
not an expert in regex but can help with simple issues.. why?
</div>


<div>
can u take a look to this thread pls? <br />
<br />
<a href="https://www.experts-exchange.com/questions/28967092/regex-code-How-to-do-this-include-and-exclude-chars.html" rel="ugc">https://www.experts-exchange.com/questions/28967092/regex-code-How-to-do-this-include-and-exclude-chars.html</a>
</div>


<div>
<div class="content wysiwyg-content">
How to see Event ID 1149 using powershell or cmd (the names and IPs &nbsp;successfully logged in my remote)?Especially the IP's<br />
To see reboot history i use this syntax and works great.Can anyone help me?thank you<br />
<br />
Get-EventLog System | Where-Object {$_.EventID -eq &quot;1074&quot; -or $_.EventID -eq &quot;6008&quot; -or $_.EventID -eq &quot;1076&quot;} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
</div>
</div>


How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell provides full access to the Component Object Model (COM) and Windows Management Instrumentation (WMI), enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and Common Information Model (CIM) enabling management of remote Linux systems and network devices.