Windows Powershell

CTClaude

New Member
Joined
Sep 5, 2019
Messages
4
Hi everyone,
I hope I explain myself clearly.
I have server(remote server) 100+ users connect to it. We have move over to a web app so no need for RDP connections.
I want to run a powershell script to see who has logged on to the RDP server in the last to months. A timestamp and Name will be sufficient.
Thanks in advance
 

WAslayer

Expert Member
Joined
May 13, 2011
Messages
4,041
Hi everyone,
I hope I explain myself clearly.
I have server(remote server) 100+ users connect to it. We have move over to a web app so no need for RDP connections.
I want to run a powershell script to see who has logged on to the RDP server in the last to months. A timestamp and Name will be sufficient.
Thanks in advance
And this is not something available via a Google search..?


There is a starting point..
 

CTClaude

New Member
Joined
Sep 5, 2019
Messages
4
And this is not something available via a Google search..?


There is a starting point..
I have searched a lot and seems to pin point the exact wording. I can generate a list of all the computers that logged on. But cant get the date working. I only get the last 24 hours for some reason and i will like two months info.
Thanks for your reply, much appreciated
 

swakop_toe

Well-Known Member
Joined
Sep 17, 2013
Messages
220
I use a script to audit last logon date of RDP users.
Remind me tomorrow, I''ll paste it here.
 

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,333
There's also a Terminal Service module that makes it a lot easier to access.

It is archived so I assume the author is no longer maintaining the module, however it is still very useful.

I used to use it to admonish admins who left their terminal sessions running unnecessarily.
 

swakop_toe

Well-Known Member
Joined
Sep 17, 2013
Messages
220
I use a script to audit last logon date of RDP users.
Remind me tomorrow, I''ll paste it here.
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
 

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,333
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
That would also count the logon through the website should it be hosted on the same server.
Perhaps search the event log for Logon Type 3?
Not sure what logon via website would generate.
 

CTClaude

New Member
Joined
Sep 5, 2019
Messages
4
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
Thanks for the above. This only gives me the 4 user accounts allowed. I am new at the company still trying to find my feet where is what.
In short. An Application is residing on the local drive(RDP server). On a separate VM on the DC the 100 odd users are listed (AD) in a group. Only this group is added on the RDP server.

I have the below script but it just the date portion I am struggling with.

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network connection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}
}
}}
 

CTClaude

New Member
Joined
Sep 5, 2019
Messages
4
Where'd you copy that from? ;)

From some other site. haha... it works great. I busy looking at the config of windows. my feeling is is that they limited the amount of logs kept.
Hard to figure out stuff if there is no Documentation or somebody telling what is what.
So as i go, i document. A bit painful but it will help the auditors and the next IT person who takes over
 

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,333
Remove -after (Get-date -hour 0 -minute 0 -second 0) from the first line then you'll get an output.

Just don't run it on a DC. For a smallish server you don't have to restrict it with the After switch when the logs are small.
709495
 
Top