2017-09-27 85 views
0

我一直在處理腳本以顯示每個已登錄到其終端服務器的用戶的最後一次登錄。powershell - 從本地服務器獲取上次用戶的最後一次登錄

如果腳本不在域中,但是當它們位於域中時,它將顯示尚未登錄到特定服務器的用戶。

有沒有辦法讓我編輯腳本,只顯示登錄到特定服務器的用戶?

下面是代碼:

#This script will check which users have logged on in the last X days 
#Set Variables 
#Change the number in the parenthesis after adddays to change how far back 
to filter 
#example (get-date).adddays(-30) gets all logins for the last 30 days from 
today (-60) would be the last 60 days 

$AuditDate = Get-Date (get-date).adddays(-30) -format "MM/dd/yyyy h:mm:ss 
tt" 
$ComputerName = $env:COMPUTERNAME 
$CurrentDate = Get-Date -UFormat "%Y-%m-%d" 


#Delete any previously created files 
Get-ChildItem -Path "C:\PowerShellScripts\LastLogon\Results" -Recurse | 
Where-Object CreationTime -lt (Get-Date).AddDays(-0) | Remove-Item - 
ErrorAction SilentlyContinue 

#The Login Profile is filtered here 
Get-WmiObject -class Win32_NetworkLoginProfile -ComputerName $ComputerName| 
#Where-Object -FilterScript {$_.LogonServer -like $ComputerName}| 
Where-Object -FilterScript {$_.FullName -notlike "*Agvance*"} | 
Where-Object -FilterScript {$_.FullName -notlike "*Sophos*"} | 
Where-Object -FilterScript {$_.FullName -ne "AgvAdmin"} | 
Where-Object -FilterScript {$_.FullName -ne ""} | 
Where-Object {$_.Name -notlike "*ssi1*"}| 
Where-Object {$_.Name -notlike "*ssi2*"}| 
Where-Object {$_.Name -notlike "*ssi3*"}| 
Where-Object {$_.Name -notlike "*ssi4*"}| 
Where-Object {$_.Name -notlike "*ssi5*"}| 
Where-Object {$_.Name -notlike "*ssi6*"}| 
Where-Object {$_.Name -notlike "*ssi7*"}| 
Where-Object {$_.Name -notlike "*ssi8*"}| 
Where-Object {$_.Name -notlike "*ssi9*"}| 
Where-Object {$_.Name -notlike "*ssiadmin*"}| 
Where-Object -FilterScript {$_.Name -notlike "*SYSTEM*"} | 
Where-Object -FilterScript {$_.Name -notlike "*SERVICE*"} | 
Where-Object -FilterScript {! 
[System.String]::IsNullOrWhiteSpace($_.LastLogon)} | 
Where-Object -FilterScript {$_.ConvertToDateTime($_.LastLogon) -ge 
$AuditDate} | 
Select-Object Name,LogonServer,@{label='LastLogon';expression= 
{$_.ConvertToDateTime($_.LastLogon)}} -ErrorAction SilentlyContinue | sort- 
object Name | Export-Csv 
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation 

#Extra filter to filter out SSI users 
#Import-Csv C:\PowerShellScripts\Results\LastLogon.csv | Where-Object 
{$_.Name -notlike "*ssi*"} |Export-Csv 
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation -Force 

#The user count is created here 
$number = (Import-Csv C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv | 
measure | % { $_.Count}) 

#The file is renamed to include computername, date, and user count 
rename-item -path C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NewName C:\PowerShellScripts\Lastlogon\Results\LastLogon-$ComputerName-$CurrentDate-UserCount-$number.csv 

回答

0

您可以在此給一個嘗試,看看它是否提供你所需要的。

$time = (Get-Date) – (New-TimeSpan -Day 30) 

# You can additional filters in ? { $_.Properties[1].Value -ne 'SYSTEM' } by 
# modifying it with -and statements 
# i.e. ? { ($_.Properties[1].Value -ne 'SYSTEM') -and ($_.Properties[1].Value -ne 'USER')} 
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672;starttime=$time} -ComputerName $ComputerName | ? { $_.Properties[1].Value -ne 'SYSTEM' } | select @{N='User';E={$_.Properties[1].Value}}, @{N='TimeCreated';E={$_.TimeCreated}} 
+0

這將工作,但我得到了很多的DWM - XXXX顯示。我不確定那些是否是真正的用戶,但我確實認識到其中的一些人。 – RedThorn88

+0

DWM代表「桌面Windows管理器」。這些可以像「系統」帳戶一樣被過濾掉。維基百科的引用「桌面窗口管理器(DWM,以前的桌面合成引擎或DCE)是Windows Vista,Windows 7,Windows 8和Windows 10中的窗口管理器,支持使用硬件加速來呈現Windows的圖形用戶界面。 「 [Wiki](https://en.wikipedia.org/wiki/Desktop_Window_Manager) – ekeeling

+0

至於其他用戶,您是否可以使用'Get-ADUser -Filter {samaccountname -like「* USERNAME *」}'查詢AD以檢查是否他們是有效的賬戶?他們可能是服務賬戶。如果他們不在AD,你可以在這裏發佈,我會看看我是否認出他們。 – ekeeling