confuseis

Forum Replies Created

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    confuseis
    Participant
    in reply to: Detect interactive login's #618205

    Hi

    Ive enabled the group policy to audit the logon events and afterwards I’m able to get the logon detail from powershell including the logon type 2. Representing the interactive logon. On the workstation.

    using:

    $Event = Get-winevent -FilterHashtable @{logname=’security’; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}

    When I run the script on the server however I dont see that it is aware of the workstation login and I cannot find the same result there.

    The idea is to have visibility of all workstation logins.

    Would I be correct assuming the logs are only held the workstation itself and not passed to the DC ?

    If that is so then would the best strategy be to query the log into remotely against each workstation ?

    So powershell has to fetch of each and every workstation not from the DC ?

Viewing 1 post (of 1 total)