Announcement

Collapse
No announcement yet.

Powershell to output audited domain logons

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Powershell to output audited domain logons

    Hi guys,

    Im trying to get a powershell command to output event id 4624 to a csv so I can easily see what time users logged on. My current script is

    Code:
    $filterXml = '<QueryList>
       <Query Id="0" Path="Security">
         <Select Path="Security">
    *[System[(EventID="4624")]]
    and
    *[EventData[Data[@Name="LogonType"]
    and
    (Data="2" or Data="3")]]
    or
    *[System[(EventID="4624")]]
    </Select>
       </Query>
     </QueryList>'
     Get-WinEvent -FilterXml $filterXml | export-csv D:\Exports\Monday.csv
    But I cant get it to display the domain account username - would anyone be kind enough to assist please?

    Thank you

  • #2
    Re: Powershell to output audited domain logons

    This would be easier

    Code:
    Get-EventLog -LogName Security -instanceID 4624 | Export-Csv c:\temp\test.csv
    It will list the username, if there is one provided in the log.

    I have tested on my local PC and no username was logged so none was available.

    Comment


    • #3
      Re: Powershell to output audited domain logons

      The issue with that code was that it didn't seem to display the last logon and also the output file was huge. Im experimenting with my code and this seems to work

      Code:
       import-module ActiveDirectory
       Get-ADUser -Filter * -Property LastLogonTimestamp | Select SamAccountName,DN,@{Name='Last Logon';Expression={$_.LastLogonTimeStamp.ToString()}} | Export-CSV d:\Exports\Export1.csv -NoTypeInformation
      I then use a formula within Excel to convert the date to a readable format. The only issue is the output is incorrect - its showing accounts that last logged in say 1/7/2013 when they have logged in today 03/07/2013

      Any ideas why this would be?

      Thanks

      Comment


      • #4
        Re: Powershell to output audited domain logons

        Short answer is not all logons are logged. This should shed some light on why you see the results you are getting:

        http://blogs.technet.com/b/askds/arc...-it-works.aspx
        Last edited by userPrincipalName; 3rd July 2013, 19:52.
        Rules of life:
        1. Never do anything that requires thinking after 2:30 PM
        2. Simplicity is godliness
        3. Scale with extreme prejudice


        I occasionally post using a savantphone, so please don't laugh too hard at the typos...

        Comment


        • #5
          Re: Powershell to output audited domain logons

          Originally posted by userPrincipalName View Post
          Short answer is not all logons are logged. This should shed some light on why you see the results you are getting:

          http://blogs.technet.com/b/askds/arc...-it-works.aspx

          Yeah thanks I read that after posting

          So, and maybe this isn't for this section of the forum. Getting a reliable up to date report of some description - any suggestions please?

          I know I can use the logon script method to update a text file, but Im trying to capture VPN connections so the user wont necessarily run the script as they'll use cached credentials and then connect using the VPN to access some network resources?

          Thanks guys

          Comment


          • #6
            Re: Powershell to output audited domain logons

            Originally posted by 5habbaranks View Post
            Yeah thanks I read that after posting

            So, and maybe this isn't for this section of the forum. Getting a reliable up to date report of some description - any suggestions please?

            I know I can use the logon script method to update a text file, but Im trying to capture VPN connections so the user wont necessarily run the script as they'll use cached credentials and then connect using the VPN to access some network resources?

            Thanks guys
            Logon scripts and text files in the SYSVOL folder.

            Comment


            • #7
              Re: Powershell to output audited domain logons

              You could try scraping security logs.....
              Rules of life:
              1. Never do anything that requires thinking after 2:30 PM
              2. Simplicity is godliness
              3. Scale with extreme prejudice


              I occasionally post using a savantphone, so please don't laugh too hard at the typos...

              Comment


              • #8
                Re: Powershell to output audited domain logons

                Originally posted by userPrincipalName View Post
                You could try scraping security logs.....
                That's pretty much what the powershell script I gave him done.

                You could remove the filters but expect a huge number of entries, if there are that many in your Event Logs lol.

                Comment


                • #9
                  Re: Powershell to output audited domain logons

                  The script below is reading the lastLogon property. It connects to every dc for it and collects only the most recent date and time of each user.

                  Code:
                  function Get-ADUserLastLogon([string]$userName)
                  { # "http://technet.microsoft.com/en-us/library/dd378867(v=ws.10).aspx"
                  
                    $time = 0
                    foreach($dc in $dcs)
                    { 
                      $hostname = $dc.HostName
                      $user = Get-ADUser $userName | Get-ADObject -Server $hostname -Properties lastLogon 
                      if($user.LastLogon -gt $time) 
                      {
                        $time = $user.LastLogon
                        $AuthDC = $hostname
                      }
                    }
                    $dt = [DateTime]::FromFileTime($time)
                    Write-Host $username "last logged on at:" $AuthDC $dt }
                  
                  Import-Module ActiveDirectory
                  $dcs = Get-ADDomainController -Filter {Name -like "*"}
                  $arrNames = Get-ADUser -Filter * -SearchBase "ou=users,ou=Mycompany,dc=domain,dc=local" | foreach { $_.sAMACcountName} | Sort
                  
                  foreach($usr in $arrNames) {Get-ADUserLastLogon -UserName $usr}
                  /Rems
                  Last edited by Rems; 18th July 2013, 10:41.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment

                  Working...
                  X