command line to extract users who had login to a PC last few days

Link above shows how to view it fr Event Viewer logs but I'll need to extract & save it to a file
using a command in  Task Scheduler (say a daily task) for audit purposes.

Does the PS script below extract from Event Viewer?  Does it require admin rights to run?

I need to check for both AD as well as local accounts that login with the dates/time they login to a PC.

There's a tool below but I wanted to save into say a csv / text file, not view it from a GUI screen:

My GOAL ultimately:
I have a group of about 50 users whose AD Id are members of our domain groups  "Payment Staff" as well as "Domain Users" : to be able to login to the sensitive payment PCs (about 15 of them), they need to be member of "Payment Staff" while for any other general PCs (to read emails, browse Internet etc), just being a member of "Domain Users" is enough.

Audit wants me to review the 50 users dormancy & dates/timings they login to the sensitive payment PCs, so is there any way I could assess if they have authenticated using the role that they're granted membership of "Payment Staff" ??   I'm not Wintel-trained so my request may sound odd.
Who is Participating?
CoralonConnect With a Mentor Commented:
function Get-LogonHistory {
        [parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [parameter(ValueFromPipelineByPropertyName = $true)]
        [string]$ComputerName = $env:COMPUTERNAME

    $EventArray = @()
    foreach ($User in $Username) {
        $UserObject = New-Object -TypeName System.Security.Principal.NTAccount($User)
        $UserSID = $UserObject.Translate([System.Security.Principal.SecurityIdentifier])

        $EventsToAdd = Get-EventLog -ComputerName $ComputerName System -InstanceId 7001 -Source Microsoft-Windows-Winlogon | Where-Object { $_.ReplacementStrings -contains $UserSID }
        $EventArray += $EventsToAdd
        Remove-Variable EventsToAdd
    Write-Output $EventArray

Open in new window

take your list of users.. say one per text line.. then you would dot source the script (the first line below) and then run the Get-LogonHistory command and pipe it out to Export-CSV.  
. c:\scripts\Get-LogonHistory.ps1
Get-LogonHistory -UserName (Get-Content c:\users.txt) | export-csv -filepath '<path>\UserlogonsExport.csv' -notypeinformation =encoding ascii

Open in new window

This is untested.. but the pulling the eventlog piece does work..

But, in addition, to protect those sensitive PC's, you would want to go into the local policies (can be done by GPO) and modify the User Rights Assignment, and remove the Logon Locally right from Domain Users, and add your domain security group for those 50 users.  (Any reasonably experienced windows admin can do this)..
sunhuxAuthor Commented:
We have a tool called Desktop Central but my colleague is only able to extract the last logon user to a PC, not a list of
users who logon to a PC for the last 1 week (with login dates/timings)
Ajit SinghConnect With a Mentor Commented:
PowerShell srtip to get report on the User logon history during a certain time, check below earlier discussions:

Also, you can track user activities on a computer. When you use auditing, you can specify which events are written to the Security log.

Hope this helps!
sunhuxAuthor Commented:
So there's nothing I can query against the AD group "Payment Staff" ?  These authorized staff needs to be a member of this group, so is there anything being sent or authenticated against the AD ?  This is so that I query against the 15 PCs but only at a single point ie the AD
sunhuxAuthor Commented:
> So there's nothing I can query against the AD group "Payment Staff" ?  
Do note that these payment staff are members of several AD groups but I'm only interested when they are authenticated on the basis that they are member of "Payment Staff" group only
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.