Reporting on Event ID ( logon ) 4624 and 7001 with Powershell

Find users who have physically logged into a machine 7001

param(
    [alias("CN")]
    $ComputerName="localhost"
)

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachinenName";e={$_.MachineName}}

foreach ($computer in $ComputerName) {
    Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
}

Find users who have authenticated with different login types

get-eventlog -ComputerName "localhost" -logname ’security’ -instanceid 4624 -after (get-date).adddays(-10) | % {
 
    [array] $login += [pscustomobject] @{
    
        account = $_.replacementstrings[5]
        time = $_.timewritten
        type = $_.replacementstrings[8]
        ip = $_.replacementstrings[18]
}}
 
$login | ft -auto
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)
Loading...

Powered by WordPress | Made with ❤ by Themely