Powershell - Remote PC Report: Logon, Logoff, Lock and Unlock

I need to silently access a machine on the domain, to generate an "access" report, by date (recent to oldest) that references the following Event IDs:

7001 = 'Logon'
7002 = 'Logoff'
4800 = 'Lock'
4801 = 'UnLock'

I found the following script, however I need it amended to include 'Lock' and 'Unlock' Event IDs.

www.geekshangout.com/610-2

On the same request, I also need a copy of the XML saves as a txt files.

function get-logonhistory{
Param (
 [string]$Computer = (Read-Host Remote computer name),
 [int]$Days = 10
 )
 cls
 $Result = @()
 Write-Host "Gathering Event Logs, this can take awhile..."
 $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $Computer
 If ($ELogs)
 { Write-Host "Processing..."
 ForEach ($Log in $ELogs)
 { If ($Log.InstanceId -eq 7001)
   { $ET = "Logon"
   }
   ElseIf ($Log.InstanceId -eq 7002)
   { $ET = "Logoff"
   }
   Else
   { Continue
   }
   $Result += New-Object PSObject -Property @{
    Time = $Log.TimeWritten
    'Event Type' = $ET
    User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
   }
 }
 $Result | Select Time,"Event Type",User | Sort Time -Descending | Format-Table

 Write-Host "Done."
 }
 Else
 { Write-Host "Problem with $Computer."
 Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
 Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
 }
}

get-logonhistory -Computer "COMPUTERNAME" -Days "7"

Open in new window

PowershellPC

Last Comment

Mike Dias

8/22/2022 - Mon

ASKER CERTIFIED SOLUTION

footech

11/28/2017

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

footech

11/28/2017

On the same request, I also need a copy of the XML saves as a txt files.

I really don't know what you're asking there.

arnold

11/28/2017

What is the environment?
Windows firewall settings?i
Are you running into an issue that you can not access the events log remotely?

In a domain have you looked at forwarding events from local system to a central repository on the server.
Running queries on the DCs for ....

arnold

11/28/2017

Rereading your.....
If your existing output is what you want/need
Using /piping through a convert to XML cmdlet

https://technet.microsoft.com/en-us/library/ff730921.aspx

Your help has saved me hundreds of hours of internet surfing.

fblack61

Ajit Singh

11/29/2017

get logon\off workstation lock\unlock times:
https://community.spiceworks.com/topic/764481-get-logon-off-workstation-lock-unlock-times

Built in and FREE Group Policy auditing. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Logon/Logoff

Configure an event forwarder: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding

Audit logon/logoff/workstation lock and unlocks and more options.

Event Log Audit User Logon, Logoff and locked, unlocked:
https://www.reddit.com/r/PowerShell/comments/4pksce/event_log_audit_user_logon_logoff_and_locked/

For logoff check event 4634, workstation lock event 4800, unlock 4801. Get help from this article to audit successful Logon/Logoff and Failed Logons.

Hope this helps!

Mike Dias

11/30/2017

ASKER

Thanks - simple and it works.