PowerShell: Find computers a user has logged on to from Active Directory

This is a bit of an experimental script, there may well be better/faster ways of doing this – feel free to comment if there are. Note that these are not necessarily going to show “interactive” logons – i.e. those where the user has logged onto the console or made a remote desktop connection – they might have just accessed a network resource, but it should give you some places to start looking for more detail.

You get two results from two different events in the Security event log. 4624 gives a workstation IP address, which I then pass into nslookup to attempt to get the computer name. 4776 gives a workstation name directly in the event message.

The very long piped commands are so that you see the results as they come in – if I’d collected the Get-WinEvents results into a variable and then processed/displayed them from that you could be waiting hours before anything appeared on screen!

$UserToFind = "someuser"
$StartTime = (Get-Date).AddMinutes(-90)
$DCs = Get-ADDomainController -Filter * | Sort-Object -Property Hostname
foreach($DC in $DCs){
    Write-Host ("Searching "+$DC.hostname)
    Get-WinEvent -FilterHashtable @{logname="security"; id=4624; keywords="audit success"; starttime=$StartTime} -ComputerName $DC.Hostname `
     | Where-Object -Property Message -like "*$UserToFind*" | Select-Object -Property Message | Select-String -Pattern "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" `
     | ForEach-Object {$_.Matches} | ForEach-Object {nslookup $_.Value}
    Get-WinEvent -FilterHashtable @{logname="security"; id=4776; keywords="audit success"; starttime=$StartTime} -ComputerName $DC.Hostname `
     | Where-Object -Property Message -like "*$UserToFind*" | Select-Object -Property Message | Select-String -Pattern "workstation(.)*" `
     | ForEach-Object {$_.Matches} | ForEach-Object {$_.Value}
}
This entry was posted in PowerShell, Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s