How to see Event ID 1149 using powershell or cmd (the names and IPs successfully logged in my remote)?

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
john lambertAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SubsunConnect With a Mentor Commented:
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 
SubsunCommented:
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
Spike99On-Site IT TechnicianCommented:
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
SubsunCommented:
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
 
john lambertAuthor Commented:
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
SubsunCommented:
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 
john lambertAuthor Commented:
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
SubsunCommented:
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 
john lambertAuthor Commented:
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
SubsunCommented:
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 
john lambertAuthor Commented:
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
SubsunCommented:
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 
john lambertAuthor Commented:
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 
john lambertAuthor Commented:
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
 
john lambertAuthor Commented:
how to modify the script to output.txt file?
0
 
SubsunCommented:
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
SubsunCommented:
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 
john lambertAuthor Commented:
i test and is working perfect,thank you...
0
 
john lambertAuthor Commented:
script working fine
0
 
john lambertAuthor Commented:
and modify script to see only the suers who logged TODAY?
0
 
john lambertAuthor Commented:
oh yess thankssssssssssss
0
 
SubsunCommented:
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 
john lambertAuthor Commented:
thank you
0
 
john lambertAuthor Commented:
ok i close it thanks , do u know things about regex codes?
0
 
SubsunCommented:
not an expert in regex but can help with simple issues.. why?
0
 
john lambertAuthor Commented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.