asked on Create a PowerShell script that would get the last 30 days history logon of Domain Admin member
Dear All,
I would like to write a Power Shell script that would do the following:
- If the user is member of (Domain admins) get me the last 30 days history logon of this user in any Domain joined computer.
I created something now but it still lacks a lot as it reads the security events on the Domain controller and brings the users,time and matches them with the Domain admin group as in the attached screenshot
I would appreciate if someone can help me evolve this script into something useful
I would like to write a Power Shell script that would do the following:
- If the user is member of (Domain admins) get me the last 30 days history logon of this user in any Domain joined computer.
I created something now but it still lacks a lot as it reads the security events on the Domain controller and brings the users,time and matches them with the Domain admin group as in the attached screenshot
I would appreciate if someone can help me evolve this script into something useful
$Rusers = Get-WinEvent -Computer dc02 -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 50 |
` select @{N='User';E={$_.Properties[1].Value}},TimeCreated
$DAUsers = Get-ADGroupMember -Identity "Domain Admins"
Foreach ($DAUser in $DAUsers){
$DomainUser = $DAUser.SamAccountName
foreach ($Ruser in $Rusers){
$RAUser = $Ruser.User
If ($RAUser -match $DomainUser){
Write-Host $Ruser is domain admin }
}
}
Powershell* auditingActive Directory
Last Comment
Mohammed Hamada
ASKER
Hi Alex,
Yes I think it might be simpler than I am trying to do it. Is it possible to get the source server of where the user logged from?
An example:
Assuming Domain admin User 1 is being utilized by SQL, Sccm or Scom service and tries to authenticate over the DC.
Is it possible to add the source to the file?
Thank you
Yes I think it might be simpler than I am trying to do it. Is it possible to get the source server of where the user logged from?
An example:
Assuming Domain admin User 1 is being utilized by SQL, Sccm or Scom service and tries to authenticate over the DC.
Is it possible to add the source to the file?
Thank you
that's in the
%computername%
So you build this as a BAT file and then deploy it that way, so drop it into netlogon.
Regards
Alex
%computername%
So you build this as a BAT file and then deploy it that way, so drop it into netlogon.
Regards
Alex
Your help has saved me hundreds of hours of internet surfing.
fblack61
For me it shows up like this
03/12/2019,14:24:55.64,lap
03/12/2019,14:24:55.64,lap
Assuming Domain admin User 1 is being utilized by SQL, Sccm or Scom service and tries to authenticate over the DC.
Is it possible to add the source to the file?
Is this for service accounts???
ASKER
Yes it is, I created a script that invokes a command to find all non-local system services (just domain accounts) and prints them to a file. But need to also know if those users are authenticating or running against the DC.
It's for auditing reasons and to check where and from which server those accounts are running in..etc
It's for auditing reasons and to check where and from which server those accounts are running in..etc
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Yeah service accounts won't work, they won't run as a standard logon which means they won't invoke the script in the first place.
If you've confirmed they are running as a service, they will authenticate to the DC. Your better option would be to just scan your infrastructure of all services and their respective domain account which you've done. If it's a service that's running then it's authenticating.
Regards
Alex
If you've confirmed they are running as a service, they will authenticate to the DC. Your better option would be to just scan your infrastructure of all services and their respective domain account which you've done. If it's a service that's running then it's authenticating.
Regards
Alex
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a questionASKER
Thank you
Then have something like
Log on
echo %date%,%time%,%computernam
Log off
echo %date%,%time%,%computernam
Then stipulate where you want the file dumped.
Regards
Alex