Create a PowerShell script that would  get the last 30 days history logon of Domain Admin member

Mohammed Hamada
Mohammed Hamada used Ask the Experts™
Dear All,

I would like to write a Power Shell script that would do the following:
- If the user is member of (Domain admins) get me the last 30 days history logon of this user in any Domain joined computer.

I created something now but it still lacks a lot as it reads the security events on the Domain controller and brings the users,time and matches them with the Domain admin group as in the attached screenshot

I would appreciate if someone can help me evolve this script into something useful

$Rusers = Get-WinEvent  -Computer dc02 -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 50 |
 `   select @{N='User';E={$_.Properties[1].Value}},TimeCreated
 
$DAUsers = Get-ADGroupMember -Identity "Domain Admins"

Foreach ($DAUser in $DAUsers){
$DomainUser = $DAUser.SamAccountName

foreach ($Ruser in $Rusers){
$RAUser = $Ruser.User

If ($RAUser -match $DomainUser){
Write-Host $Ruser is domain admin }
}
}

Open in new window

Screenshot_1.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlexA lack of information provides a lack of a decent solution.
This seems a bit silly if you don't mind me saying, why not make your life that much easier and create a GPO and assign it to the OU where all your domain admins are, or drop domain admins in to your security filtering.

Then have something like

Log on

echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 

Log off

echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> 

Then stipulate where you want the file dumped.

Regards

Alex
Mohammed HamadaSenior IT Consultant

Author

Commented:
Hi Alex,

Yes I think it might be simpler than I am trying to do it.  Is it possible to get the source server of where the user logged from?
An example:
Assuming Domain admin User 1 is being utilized by SQL, Sccm or Scom service and tries to authenticate over the DC.
Is it possible to add the source to the file?

Thank you
AlexA lack of information provides a lack of a decent solution.
that's in the

%computername%

So you build this as a BAT file and then deploy it that way, so drop it into netlogon.

Regards
Alex
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

AlexA lack of information provides a lack of a decent solution.
For me it shows up like this

03/12/2019,14:24:55.64,laptop005666,Alex.green,Console,\\Domaincontroller
AlexA lack of information provides a lack of a decent solution.
Assuming Domain admin User 1 is being utilized by SQL, Sccm or Scom service and tries to authenticate over the DC.
Is it possible to add the source to the file?

Is this for service accounts???
Mohammed HamadaSenior IT Consultant

Author

Commented:
Yes it is, I created a script that invokes a command to find all non-local system services (just domain accounts) and prints them to a file. But need to also know if those users are authenticating or running against the DC.

It's for auditing reasons and to check where and from which server those accounts are running in..etc
AlexA lack of information provides a lack of a decent solution.
Yeah service accounts won't work, they won't run as a standard logon which means they won't invoke the script in the first place.

If you've confirmed they are running as a service, they will authenticate to the DC. Your better option would be to just scan your infrastructure of all services and their respective domain account which you've done. If it's a service that's running then it's authenticating.

Regards

Alex
Thanks a lot Alex, I've already got it figured out! this little code does the magic although you have to change the event ID and amount of events in the output.

Thanks a lot for your help

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

Open in new window

PS01.png
Mohammed HamadaSenior IT Consultant

Author

Commented:
Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial