PowerShell: Find computers a user has logged on to from Active Directory

This is a bit of an experimental script, there may well be better/faster ways of doing this – feel free to comment if there are. Note that these are not necessarily going to show “interactive” logons – i.e. those where the user has logged onto the console or made a remote desktop connection – they might have just accessed a network resource, but it should give you some places to start looking for more detail.

You get two results from two different events in the Security event log. 4624 gives a workstation IP address, which I then pass into nslookup to attempt to get the computer name. 4776 gives a workstation name directly in the event message.

The very long piped commands are so that you see the results as they come in – if I’d collected the Get-WinEvents results into a variable and then processed/displayed them from that you could be waiting hours before anything appeared on screen!

$UserToFind = "someuser"
$StartTime = (Get-Date).AddMinutes(-90)
$DCs = Get-ADDomainController -Filter * | Sort-Object -Property Hostname
foreach($DC in $DCs){
    Write-Host ("Searching "+$DC.hostname)
    Get-WinEvent -FilterHashtable @{logname="security"; id=4624; keywords=9007199254740992; starttime=$StartTime} -ComputerName $DC.Hostname `
     | Where-Object -Property Message -like "*$UserToFind*" | Select-Object -Property Message | Select-String -Pattern "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" `
     | ForEach-Object {$_.Matches} | ForEach-Object {nslookup $_.Value}
    Get-WinEvent -FilterHashtable @{logname="security"; id=4776; keywords=9007199254740992; starttime=$StartTime} -ComputerName $DC.Hostname `
     | Where-Object -Property Message -like "*$UserToFind*" | Select-Object -Property Message | Select-String -Pattern "workstation(.)*" `
     | ForEach-Object {$_.Matches} | ForEach-Object {$_.Value}
}
Advertisements
This entry was posted in PowerShell, Security. Bookmark the permalink.

2 Responses to PowerShell: Find computers a user has logged on to from Active Directory

  1. JJ says:

    I’m getting an error on “audit success” line 6 char 5. It states that “audit success” is an invalid value.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.