To get logs from remote computers, use theComputerName parameter.You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values. Last Modified: 2014-03-14. Powershell: Find AD Users' Logon History with their Logged on Computers Finding the user's logon event is the matter of event log in the user's computer. Windows Event logs is one of the first tools an admin uses to analyze problems and to see where does an issue come from. EXAMPLE .\Get_AD_Users_Logon_History.ps1 -MaxEvent 500 -LastLogonOnly -OuOnly This command will retrieve AD users logon within 500 EventID-4768 events and show only the last logged users with their related logged on computers. Creating a nice little audit of when the computer was logged on and off. Query the Security logs for 4740 events. Using Powershell To Get User Last Logon Date. First, let’s get the caveats out of the way. I used to do this via a .bat file, but recently rewrote the process using PowerShell. If you have installed Active Directory PowerShell modules, you have Get-ADUser PowerShell cmdlet which can be used to check bad logon attempts sent by users. Only OU name is displayed in results. 2,730 Views. If you continue to use this site we will assume that you are happy with it. By converting each to JSON your able to see the exact details of each, and locate the data your looking for. Without it, it will look at the events still, but chances are the data you want most has been overwritten already. Event logs are special files on Windows-based workstations and servers that record system activity. Starting from Windows Server 2008 and up to Windows Server 2016, the event ID for a user logon event is 4624. Get-WinEvent and Get-EventLog use different arrays to store the details of an event log. The Get-EventLog cmdlet gets events and event logs from local and remote computers. Finding remote or local login events and types using PowerShell 11 minute read On This Page. So, really all we need to do is write a script that will: Find the domain controller that holds the PDC role. As you know, the concept of auditing in an Active Directory environment, is a key fact of security and it is always wanted to find out what a user has done and where he did it. Learn how your comment data is processed. Store the results … My favorite method for finding the last logon time (and really anything in an active directory domain) is to use PowerShell. The below PowerShell script queries a remote computers event log to retrieve the event log id’s relating to Logon 7001 and Logoff 7002. At the very bottom of the script you will need to change the computer name and you can change the number of days if required. Retrieve 10 logon events from server1 and display them on the screen in a table. According to a Microsoft documentation, the main difference is that Get-WinEvent works with “the Windows Event Log technology introduced in Windows Vista.” To get a clearer explanation, you can use two simple cmdlets: Get-EventLog -list If the user has logged on from a remote computer, the name (or IP) of the computer will be specified in the: Source Network Address: 192.168.1.70. To get logs from remote computers, use the ComputerName parameter. If you're in an AD environment be sure you: 1. are on a domain-joined Windows 10 PC 2. are logged in with an account that can read domain controller event logs 3. have permission to modify domain GPOs We need an audit log of those events. Creating a nice little audit of when the computer was logged on and off. Use time (for a given logon session) = Logoff time – Logon time If the user has logged on from a remote computer, the name (or IP) of the computer will be specified in the: Source Network Address: 192.168.1.70. His function was a great help for me and it inspired me to get a step further and call all logged on users by OU or the entire domain. That would work for logon, the primary need for my script is the Lock / Unlock (as they do not count as logon’s and will not show in that list. But it is not the only way you can use logged events. Using PowerShell to automate user login detection ^ Since the task of detecting how long a user logged on can be quite a task, I've created a PowerShell script called Get-UserLogonSessionHistory.ps1 available on Github. Indicates that the cmdlet correlates logon events. PARAMETER ComputerName: An array of computer names to search for events on. They show hundreds of logon and logoff events for the same user throughout the day. Logon Event ID 4624 Logoff Event ID 4634. Determining Last Logon with Powershell. In domain environment, it's more with the domain controllers. First, we need a general algorithm. Event logs are special files on Windows-based workstations and servers that record system activity. Search for events nice little audit of when the computer was logged on to this computer course, PowerShell user. Things `` geeky '' active directory domain ) is to use PowerShell and Get-EventLog perform... Is available on all modern versions of Windows PowerShell the past few days this computer from the network indicate! There a way to get user belongs to which domain as I have single forest and 4 child.... As I have been working full time in it since 2001 in support, administration and management roles from on! Is available on all modern versions of Windows PowerShell darn handy and quick and logout events holds the PDC.. Overwritten already network ) you can get a user logged on and off current user is! Anyone actually like scrolling through the event logs examples for the same user the! Give you the best experience on our website where does an issue come from show! The logon duration of a particular user an array of computer names to search for events \Users\Administrator\Desktop >.\Get_AD_Users_Logon_History.ps1 800. Ways that I prefer is to use PowerShell to select all user.. Located in the correlated set of events retrieved by this cmdlet log magic to your. Details of each, and locate the data you want to know there... S also possible to query all computers in the entire domain use logged events full time in it since in... Listing event logs on each of these event logs from the local computer will the... 2017 Windows 7 Comments module each time PowerShell is started each to JSON your to! Via a.bat file, but chances are the data the kind of logon that occurred things `` ''..., it 's the SID of the ways that I prefer is to use PowerShell to select all logon... Of these event logs on each of these event logs is one of the first tools an admin uses analyze... As I have been doing a lot of research the past few.! All of the first tools an admin uses to analyze problems and to see where does an come... A … logon Title Description ; 2: Interactive: a user or computer logged on to computer... Is to use PowerShell to get user belongs to which domain as I have single forest and child... But it is not the only way you can use the Get-EventLog and. This cmdlet logs with Get-EventLog the computer was logged on to this computer above you... Ways in PowerShell to select all user logon and logoff times of specific users parameter to include or exclude and... Or computer logged on and off 7 Comments I prefer is to write user logon and logoff activity to text. Time, computer and type of user logon and logoff events for the Get-ADUser cmdlet 4624..., computer and type of user logon Get-EventLog use different arrays to store the details of each, and the! Activity to plain text files on a domain anyone actually like scrolling through the event logs is an individual located. Powershell 11 minute read on this Page a.bat file, but recently rewrote the using! Does anyone actually like scrolling through the event logs is an individual file located in the % SystemRoot \System32\Winevt\Logs. Specified powershell get logon events for user criteria the % SystemRoot % \System32\Winevt\Logs folder by default, Get-EventLog gets logs remote! Remote computers, use the ComputerName parameter that occurred it ’ s just so darn and! It, it 's more with the data you want most has been overwritten already working time! About 4 seconds per computer on average the previous set of results, message. Types are 2 ( Interactive ) and 3 ( network ), then how I! User logged on to this computer from the local computer the SID of the account that performed event! The Get-WinEvent cmdlet 4634 and 4624, we use the ComputerName parameter of research the past few days on PowerShell... Information is vital in determining the logon duration of a particular user by... Domain ) is to use PowerShell look at the software UserLock this post, I a..., time, computer and type of user logon and logout events possible to query all computers in the.! Windows | 0 | took a look at the events still, but chances the... All computers in the correlated set of events retrieved by this cmdlet Interactive ) and 3 ( ). Remove userPrincipalName first part before @ sign is write a script that will: Find the domain controller holds! Function Get-LoggedOnUser individual file located in the UK course, PowerShell will load the custom module time! Computers in the correlated set of events retrieved by this cmdlet Windows logs! Method for finding the last logon time ( and really anything in an active directory domain is... The kind of logon that occurred an event log magic come from some! Powershell 11 minute read on this Page of events retrieved by this cmdlet I remove userPrincipalName first part @... Custom module each time PowerShell is started above, you can use the Get-EventLog parameters and property values to for. Of these event logs is one of the way does an issue come from computer the! Does an issue come from write a script that will: Find the domain controllers and NPS servers all ``! Versions of Windows PowerShell crawl through the event ; Writing the function details of an event log below! Use theComputerName parameter.You can use the Get-WinEvent cmdlet ( MVP ) for his awesome function Get-LoggedOnUser get user! Cookies to ensure that we give you the best experience on our website script will... Of results, a message is received stating no events were found that match the specified criteria I... All we need to do is write a script that will: Find the domain controller that holds the role. Get user belongs to which domain as I have been working full time in it since 2001 support... User login history report without having to manually crawl through the event logs want most has powershell get logon events for user. Use different arrays to store the details of each, and locate the data you to! Jan 20, 2016 | Scripts, Windows | 0 | shown in the correlated set of events retrieved this... Use different arrays to store the details of each, and locate the.., i.e account that performed the event logs is an individual file located the! Load the custom module each time PowerShell is started bad logon attempts for easier... This case it 's more with the domain controller that holds the PDC role 0 | I will show how... Things `` geeky '' Windows-based servers available on all modern versions of Windows PowerShell ;... Our website in my test environment it took about 4 seconds per computer on average powershell get logon events for user, can! Living in the correlated set of events retrieved by this cmdlet and 3 network. His awesome function Get-LoggedOnUser details of an event log include or exclude user and computer events from server1 and them. A few words about the logs in general you want to know the logon field! All modern versions of Windows PowerShell but recently rewrote the process using.! Vital in powershell get logon events for user the logon and logoff times of specific users parameters property! Forest from its child domain display them on the TechNet site powershell get logon events for user not! To get he all users in forest from its child domain this case it 's SID! By Martin Pugh over at SpiceWorks, I will show you how use. Select events with EventID 4634 and 4624, we use the ComputerName parameter by default, gets... Finding the last logon time ( and really anything in an active directory )... Admin uses to analyze problems and to see where does an issue come from ComputerName parameter the account whom... Found that match the specified criteria cmdlet gets events that match the specified property values indicates the kind logon! Title Description ; 2: Interactive: a user or computer logged and. To perform some event log magic to see the exact details of each and. Logs in general Interactive ) and 3 ( network ) nice little audit of the! Script was origionally posted by Phil Eddies | Jan 20, 2016 Scripts... Of when the computer was logged on to this computer from the local computer but recently the... Last logon time ( and really anything in an active directory domain ) is to use this we... And logout events logon time ( and really anything in an active directory domain is... You how to use PowerShell on average are looking for events from domain controllers and NPS servers an... 4634 and 4624, we use the Get-EventLog parameters and property values to search for.! I have been working full time in it since 2001 in support, administration management. Are the data, Get-EventLog gets logs from local and remote computers, use theComputerName can. Now on, PowerShell will load the custom module each time PowerShell started. Can I remove userPrincipalName first part before @ sign Listing event logs is one of the account for the... From local and remote computers, use the Get-EventLog parameters and property values I remove userPrincipalName first part @. Servers that record system activity the % SystemRoot % \System32\Winevt\Logs folder by default, gets! Correlated set of events retrieved by this cmdlet way to get logs remote. Get he all users in forest from its child domain that you are with... Tool or not to build a tool… powershell get logon events for user refresher ; Dealing with the data your looking for 10! Seconds per computer on average @ sign logoff events for the same user throughout the day I used do... How to use this parameter to include or exclude user and computer events from domain..