Reporting on Event ID ( logon ) 4624 and 7001 with Powershell

Find users who have physically logged into a machine 7001

param(
    [alias("CN")]
    $ComputerName="localhost"
)

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachinenName";e={$_.MachineName}}

foreach ($computer in $ComputerName) {
    Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
}

Find users who have authenticated with different login types

get-eventlog -ComputerName "localhost" -logname 'security' -instanceid 4624 -after (get-date).adddays(-10) | % {
 
    [array] $login += [pscustomobject] @{
    
        account = $_.replacementstrings[5]
        time = $_.timewritten
        type = $_.replacementstrings[8]
        ip = $_.replacementstrings[18]
}}
 
$login | ft -auto 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Trackback from your site.