Jump to content

Active Directory - Need to search where user is/was logged


Gianni
 Share

Recommended Posts

Hi francesco, thanks for your reply,

that post (if I'm not wrong) seems to show how, given a computer or a list of computers, get the users that are logged on those PC (search is computer based). I was instead wondering if there is a reverse way, that is, I pass the username and i get the host(s) name.
p.s. seems not easy to translate that script to AutoIt.

Edited by Chimp

 

image.jpeg.9f1a974c98e9f77d824b358729b089b0.jpeg Chimp

small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....

Link to comment
Share on other sites

.... that video seems to shows how to see (from a Windows Server environment (not a Windows Client workstation)) the date/time a user has last logged (still not the workstation's hostname where he/her is now logged....)

 

image.jpeg.9f1a974c98e9f77d824b358729b089b0.jpeg Chimp

small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....

Link to comment
Share on other sites

There is no native way of searching AD and finding the last computer logged into or currently logged into, however years ago I wrote a simple logon script that would log each computer the user logged on to using ini format, the user was the section name, the computer name the value and logon time the data.  We then started using Lansweeper which includes this information by default so I can type in any user and will find the list of computers that they have logged into and the logon time etc... 

Link to comment
Share on other sites

Here is a PowerShell script that I have been using.  It uses event logs to find users that have logged on and off through the local console and RDP with the time while writing them to a nice CSV file.  This does require you to specify a computer name or multiple names.  If you do not specify a start time, it will pull all the record on the computer.  I found it here: https://gallery.technet.microsoft.com/Remote-Desktop-Connection-3fe225cd.

RDPConnectionParser.ps1

<#

.SYNOPSIS 
    This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from 
    multiple servers and outputs the human-readable results to a CSV.  This data is not filterable in the native 
    Windows Event Viewer.

    Version: November 9, 2016


.DESCRIPTION
    This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from 
    multiple servers and outputs the human-readable results to a CSV.  This data is not filterable in the native 
    Windows Event Viewer.

    NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too.
    
    Author:
    Mike Crowley
    https://BaselineTechnologies.com

 .EXAMPLE
 
    .\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1"
 
.LINK
    https://MikeCrowley.us/tag/powershell

#>

Param(
    [array]$ServersToQuery = (hostname),
    [datetime]$StartTime = "January 1, 1970"
)

    foreach ($Server in $ServersToQuery) {

        $LogFilter = @{
            LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
            ID = 21, 23, 24, 25
            StartTime = $StartTime
            }

        $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

        $AllEntries | Foreach { 
            $entry = [xml]$_.ToXml()
            [array]$Output += New-Object PSObject -Property @{
                TimeCreated = $_.TimeCreated
                User = $entry.Event.UserData.EventXML.User
                IPAddress = $entry.Event.UserData.EventXML.Address
                EventID = $entry.Event.System.EventID
                ServerName = $Server
                }        
            } 

    }

    $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
                if ($_.EventID -eq '21'){"logon"}
                if ($_.EventID -eq '22'){"Shell start"}
                if ($_.EventID -eq '23'){"logoff"}
                if ($_.EventID -eq '24'){"disconnected"}
                if ($_.EventID -eq '25'){"reconnection"}
                }
            }

    $Date = (Get-Date -Format s) -replace ":", "."
    # $FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"
    $FilePath = "$Date`_RDP_Report.csv"
    $FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

Write-host "Writing File: $FilePath" -ForegroundColor Cyan
Write-host "Done!" -ForegroundColor Cyan


#End

Example running it.  

Powershell -ExecutionPolicy Unrestricted -File .\RDPConnectionParser.ps1 -ServersToQuery Server1


Adam

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...