question

joaomanoelc avatar image
3 Votes"
joaomanoelc asked CandyLuo-MSFT answered

Logon History for Single AD User using powershell

66655-result-logon-users.png




This script brings the result of all accounts with the logion history and the name of the remote computer from which you logged in.

I would like to make the same query for a single account and find out the last login that the account made and where it did.

Find DC list from Active Directory

$DCs = Get-ADDomainController -Filter *

Define time for report (default is 1 day)

$startDate = (get-date).AddDays(-1)

Store successful logon events from security logs with the specified dates and workstation/IP in an array

foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely


foreach ($e in $slogonevents){
# Logon Successful Events
# Local (Logon Type 2)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
}
# Remote (Logon Type 10)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
}}

windows-server-powershellwindows-active-directory
result-logon-users.png (14.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image CandyLuo-MSFT ·

I am trying to involve someone familiar with this topic to further look at this thread. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.

0 Votes 0 ·
joaomanoelc avatar image joaomanoelc CandyLuo-MSFT ·

i need to track the login history of a specific account on which workstation or servers it logged

0 Votes 0 ·

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Refer to the following scripts:

 $user="administrator"
 # Find DC list from Active Directory
 $DCs = Get-ADDomainController -Filter *
    
 # Define time for report (default is 1 day)
 $startDate = (get-date).AddDays(-1)
   
 # Store successful logon events from security logs with the specified dates and workstation/IP in an array
 $slogonevents = @()
 foreach ($DC in $DCs){
     $slogonevents += Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }
 }
    
 # Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely
       
 foreach ($e in $slogonevents){
     # Logon Successful Events
     # Local (Logon Type 2)
     if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
         write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
     }
     # Remote (Logon Type 10)
     if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
         write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
     }
 }
    
 foreach ($e in $slogonevents){
     if($e.ReplacementStrings[5] -eq $user){
     # Logon Successful Events
     # Local (Logon Type 2)
     if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
         write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
     }
     # Remote (Logon Type 10)
     if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
         write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
     }
     }
 }

Best Regards,

Candy

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.