Gianni Posted February 26, 2019 Posted February 26, 2019 Is there an AD way to search if and where (the hostname) an userid is (or on what host was last time) logged? Thanks Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....
FrancescoDiMuro Posted February 26, 2019 Posted February 26, 2019 (edited) Hey @Chimp Maybe something like this? Edited February 26, 2019 by FrancescoDiMuro Click here to see my signature: Spoiler ALWAYS GOOD TO READ: Forum Rules Forum Etiquette
Gianni Posted February 26, 2019 Author Posted February 26, 2019 (edited) Hi francesco, thanks for your reply, that post (if I'm not wrong) seems to show how, given a computer or a list of computers, get the users that are logged on those PC (search is computer based). I was instead wondering if there is a reverse way, that is, I pass the username and i get the host(s) name. p.s. seems not easy to translate that script to AutoIt. Edited February 26, 2019 by Chimp Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....
FrancescoDiMuro Posted February 26, 2019 Posted February 26, 2019 (edited) @Chimp So this may be the answer Edited February 26, 2019 by FrancescoDiMuro Click here to see my signature: Spoiler ALWAYS GOOD TO READ: Forum Rules Forum Etiquette
Gianni Posted February 26, 2019 Author Posted February 26, 2019 .... that video seems to shows how to see (from a Windows Server environment (not a Windows Client workstation)) the date/time a user has last logged (still not the workstation's hostname where he/her is now logged....) Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....
Subz Posted February 26, 2019 Posted February 26, 2019 There is no native way of searching AD and finding the last computer logged into or currently logged into, however years ago I wrote a simple logon script that would log each computer the user logged on to using ini format, the user was the section name, the computer name the value and logon time the data. We then started using Lansweeper which includes this information by default so I can type in any user and will find the list of computers that they have logged into and the logon time etc...
AdamUL Posted February 26, 2019 Posted February 26, 2019 Here is a PowerShell script that I have been using. It uses event logs to find users that have logged on and off through the local console and RDP with the time while writing them to a nice CSV file. This does require you to specify a computer name or multiple names. If you do not specify a start time, it will pull all the record on the computer. I found it here: https://gallery.technet.microsoft.com/Remote-Desktop-Connection-3fe225cd. RDPConnectionParser.ps1 <# .SYNOPSIS This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native Windows Event Viewer. Version: November 9, 2016 .DESCRIPTION This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native Windows Event Viewer. NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too. Author: Mike Crowley https://BaselineTechnologies.com .EXAMPLE .\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1" .LINK https://MikeCrowley.us/tag/powershell #> Param( [array]$ServersToQuery = (hostname), [datetime]$StartTime = "January 1, 1970" ) foreach ($Server in $ServersToQuery) { $LogFilter = @{ LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' ID = 21, 23, 24, 25 StartTime = $StartTime } $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server $AllEntries | Foreach { $entry = [xml]$_.ToXml() [array]$Output += New-Object PSObject -Property @{ TimeCreated = $_.TimeCreated User = $entry.Event.UserData.EventXML.User IPAddress = $entry.Event.UserData.EventXML.Address EventID = $entry.Event.System.EventID ServerName = $Server } } } $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={ if ($_.EventID -eq '21'){"logon"} if ($_.EventID -eq '22'){"Shell start"} if ($_.EventID -eq '23'){"logoff"} if ($_.EventID -eq '24'){"disconnected"} if ($_.EventID -eq '25'){"reconnection"} } } $Date = (Get-Date -Format s) -replace ":", "." # $FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv" $FilePath = "$Date`_RDP_Report.csv" $FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation Write-host "Writing File: $FilePath" -ForegroundColor Cyan Write-host "Done!" -ForegroundColor Cyan #End Example running it. Powershell -ExecutionPolicy Unrestricted -File .\RDPConnectionParser.ps1 -ServersToQuery Server1 Adam
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now