Windows Powershell

C

CTClaude

New Member
Joined
Sep 5, 2019
Messages
7
Reaction score
0
Hi everyone,
I hope I explain myself clearly.
I have server(remote server) 100+ users connect to it. We have move over to a web app so no need for RDP connections.
I want to run a powershell script to see who has logged on to the RDP server in the last to months. A timestamp and Name will be sufficient.
Thanks in advance
 
CTClaude said:
Hi everyone,
I hope I explain myself clearly.
I have server(remote server) 100+ users connect to it. We have move over to a web app so no need for RDP connections.
I want to run a powershell script to see who has logged on to the RDP server in the last to months. A timestamp and Name will be sufficient.
Thanks in advance
Click to expand...
And this is not something available via a Google search..?

www.adamfowlerit.com

Logon and Logoff Security Event Viewer Auditing - AdamFowlerIT.com

Logon and Logoff events for a PC running Vista or above are logged to the Security section of Event Viewer. If you’re looking for a particular event at a particular time, you can browse through manually with a bit of filtering in the Event Viewer GUI and find what you need. On a larger scale […]
www.adamfowlerit.com www.adamfowlerit.com

There is a starting point..
 
WAslayer said:
And this is not something available via a Google search..?

www.adamfowlerit.com

Logon and Logoff Security Event Viewer Auditing - AdamFowlerIT.com

Logon and Logoff events for a PC running Vista or above are logged to the Security section of Event Viewer. If you’re looking for a particular event at a particular time, you can browse through manually with a bit of filtering in the Event Viewer GUI and find what you need. On a larger scale […]
www.adamfowlerit.com www.adamfowlerit.com

There is a starting point..
Click to expand...

I have searched a lot and seems to pin point the exact wording. I can generate a list of all the computers that logged on. But cant get the date working. I only get the last 24 hours for some reason and i will like two months info.
Thanks for your reply, much appreciated
 
I use a script to audit last logon date of RDP users.
Remind me tomorrow, I''ll paste it here.
 
There's also a Terminal Service module that makes it a lot easier to access.

Microsoft – AI, Cloud, Productivity, Computing, Gaming & Apps

Explore Microsoft products and services and support for your home or business. Shop Microsoft 365, Copilot, Teams, Xbox, Windows, Azure, Surface and more.
archive.codeplex.com

It is archived so I assume the author is no longer maintaining the module, however it is still very useful.

I used to use it to admonish admins who left their terminal sessions running unnecessarily.
 
swakop_toe said:
I use a script to audit last logon date of RDP users.
Remind me tomorrow, I''ll paste it here.
Click to expand...
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
 
swakop_toe said:
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
Click to expand...

That would also count the logon through the website should it be hosted on the same server.
Perhaps search the event log for Logon Type 3?
Not sure what logon via website would generate.
 
swakop_toe said:
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\LastLogon.csv
Click to expand...

Thanks for the above. This only gives me the 4 user accounts allowed. I am new at the company still trying to find my feet where is what.
In short. An Application is residing on the local drive(RDP server). On a separate VM on the DC the 100 odd users are listed (AD) in a group. Only this group is added on the RDP server.

I have the below script but it just the date portion I am struggling with.

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network connection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}
}
}}
 
DMNknight said:
Where'd you copy that from? ;)
Click to expand...


From some other site. haha... it works great. I busy looking at the config of windows. my feeling is is that they limited the amount of logs kept.
Hard to figure out stuff if there is no Documentation or somebody telling what is what.
So as i go, i document. A bit painful but it will help the auditors and the next IT person who takes over
 
Remove -after (Get-date -hour 0 -minute 0 -second 0) from the first line then you'll get an output.

Just don't run it on a DC. For a smallish server you don't have to restrict it with the After switch when the logs are small.
709495
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X