command line to extract users who had login to a PC last few days

Link above shows how to view it fr Event Viewer logs but I'll need to extract & save it to a file
using a command in  Task Scheduler (say a daily task) for audit purposes.

Does the PS script below extract from Event Viewer?  Does it require admin rights to run?

I need to check for both AD as well as local accounts that login with the dates/time they login to a PC.

There's a tool below but I wanted to save into say a csv / text file, not view it from a GUI screen:

My GOAL ultimately:
I have a group of about 50 users whose AD Id are members of our domain groups  "Payment Staff" as well as "Domain Users" : to be able to login to the sensitive payment PCs (about 15 of them), they need to be member of "Payment Staff" while for any other general PCs (to read emails, browse Internet etc), just being a member of "Domain Users" is enough.

Audit wants me to review the 50 users dormancy & dates/timings they login to the sensitive payment PCs, so is there any way I could assess if they have authenticated using the role that they're granted membership of "Payment Staff" ??   I'm not Wintel-trained so my request may sound odd.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
We have a tool called Desktop Central but my colleague is only able to extract the last logon user to a PC, not a list of
users who logon to a PC for the last 1 week (with login dates/timings)
function Get-LogonHistory {
        [parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

        [parameter(ValueFromPipelineByPropertyName = $true)]
        [string]$ComputerName = $env:COMPUTERNAME

    $EventArray = @()
    foreach ($User in $Username) {
        $UserObject = New-Object -TypeName System.Security.Principal.NTAccount($User)
        $UserSID = $UserObject.Translate([System.Security.Principal.SecurityIdentifier])

        $EventsToAdd = Get-EventLog -ComputerName $ComputerName System -InstanceId 7001 -Source Microsoft-Windows-Winlogon | Where-Object { $_.ReplacementStrings -contains $UserSID }
        $EventArray += $EventsToAdd
        Remove-Variable EventsToAdd
    Write-Output $EventArray

Open in new window

take your list of users.. say one per text line.. then you would dot source the script (the first line below) and then run the Get-LogonHistory command and pipe it out to Export-CSV.  
. c:\scripts\Get-LogonHistory.ps1
Get-LogonHistory -UserName (Get-Content c:\users.txt) | export-csv -filepath '<path>\UserlogonsExport.csv' -notypeinformation =encoding ascii

Open in new window

This is untested.. but the pulling the eventlog piece does work..

But, in addition, to protect those sensitive PC's, you would want to go into the local policies (can be done by GPO) and modify the User Rights Assignment, and remove the Logon Locally right from Domain Users, and add your domain security group for those 50 users.  (Any reasonably experienced windows admin can do this)..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ajit SinghCommented:
PowerShell srtip to get report on the User logon history during a certain time, check below earlier discussions:

Also, you can track user activities on a computer. When you use auditing, you can specify which events are written to the Security log.

Hope this helps!
sunhuxAuthor Commented:
So there's nothing I can query against the AD group "Payment Staff" ?  These authorized staff needs to be a member of this group, so is there anything being sent or authenticated against the AD ?  This is so that I query against the 15 PCs but only at a single point ie the AD
sunhuxAuthor Commented:
> So there's nothing I can query against the AD group "Payment Staff" ?  
Do note that these payment staff are members of several AD groups but I'm only interested when they are authenticated on the basis that they are member of "Payment Staff" group only
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.