powershell - 從本地服務器獲取上次用戶的最後一次登錄

我一直在處理腳本以顯示每個已登錄到其終端服務器的用戶的最後一次登錄。powershell - 從本地服務器獲取上次用戶的最後一次登錄

如果腳本不在域中，但是當它們位於域中時，它將顯示尚未登錄到特定服務器的用戶。

有沒有辦法讓我編輯腳本，只顯示登錄到特定服務器的用戶？

下面是代碼：

#This script will check which users have logged on in the last X days 
#Set Variables 
#Change the number in the parenthesis after adddays to change how far back 
to filter 
#example (get-date).adddays(-30) gets all logins for the last 30 days from 
today (-60) would be the last 60 days 

$AuditDate = Get-Date (get-date).adddays(-30) -format "MM/dd/yyyy h:mm:ss 
tt" 
$ComputerName = $env:COMPUTERNAME 
$CurrentDate = Get-Date -UFormat "%Y-%m-%d" 


#Delete any previously created files 
Get-ChildItem -Path "C:\PowerShellScripts\LastLogon\Results" -Recurse | 
Where-Object CreationTime -lt (Get-Date).AddDays(-0) | Remove-Item - 
ErrorAction SilentlyContinue 

#The Login Profile is filtered here 
Get-WmiObject -class Win32_NetworkLoginProfile -ComputerName $ComputerName| 
#Where-Object -FilterScript {$_.LogonServer -like $ComputerName}| 
Where-Object -FilterScript {$_.FullName -notlike "*Agvance*"} | 
Where-Object -FilterScript {$_.FullName -notlike "*Sophos*"} | 
Where-Object -FilterScript {$_.FullName -ne "AgvAdmin"} | 
Where-Object -FilterScript {$_.FullName -ne ""} | 
Where-Object {$_.Name -notlike "*ssi1*"}| 
Where-Object {$_.Name -notlike "*ssi2*"}| 
Where-Object {$_.Name -notlike "*ssi3*"}| 
Where-Object {$_.Name -notlike "*ssi4*"}| 
Where-Object {$_.Name -notlike "*ssi5*"}| 
Where-Object {$_.Name -notlike "*ssi6*"}| 
Where-Object {$_.Name -notlike "*ssi7*"}| 
Where-Object {$_.Name -notlike "*ssi8*"}| 
Where-Object {$_.Name -notlike "*ssi9*"}| 
Where-Object {$_.Name -notlike "*ssiadmin*"}| 
Where-Object -FilterScript {$_.Name -notlike "*SYSTEM*"} | 
Where-Object -FilterScript {$_.Name -notlike "*SERVICE*"} | 
Where-Object -FilterScript {! 
[System.String]::IsNullOrWhiteSpace($_.LastLogon)} | 
Where-Object -FilterScript {$_.ConvertToDateTime($_.LastLogon) -ge 
$AuditDate} | 
Select-Object Name,LogonServer,@{label='LastLogon';expression= 
{$_.ConvertToDateTime($_.LastLogon)}} -ErrorAction SilentlyContinue | sort- 
object Name | Export-Csv 
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation 

#Extra filter to filter out SSI users 
#Import-Csv C:\PowerShellScripts\Results\LastLogon.csv | Where-Object 
{$_.Name -notlike "*ssi*"} |Export-Csv 
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation -Force 

#The user count is created here 
$number = (Import-Csv C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv | 
measure | % { $_.Count}) 

#The file is renamed to include computername, date, and user count 
rename-item -path C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NewName C:\PowerShellScripts\Lastlogon\Results\LastLogon-$ComputerName-$CurrentDate-UserCount-$number.csv

來源

2017-09-27 RedThorn88

您可以在此給一個嘗試，看看它是否提供你所需要的。

$time = (Get-Date) – (New-TimeSpan -Day 30) 

# You can additional filters in ? { $_.Properties[1].Value -ne 'SYSTEM' } by 
# modifying it with -and statements 
# i.e. ? { ($_.Properties[1].Value -ne 'SYSTEM') -and ($_.Properties[1].Value -ne 'USER')} 
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672;starttime=$time} -ComputerName $ComputerName | ? { $_.Properties[1].Value -ne 'SYSTEM' } | select @{N='User';E={$_.Properties[1].Value}}, @{N='TimeCreated';E={$_.TimeCreated}}

來源

2017-09-27 19:45:22 ekeeling

這將工作，但我得到了很多的DWM - XXXX顯示。我不確定那些是否是真正的用戶，但我確實認識到其中的一些人。 – RedThorn88

DWM代表「桌面Windows管理器」。這些可以像「系統」帳戶一樣被過濾掉。維基百科的引用「桌面窗口管理器（DWM，以前的桌面合成引擎或DCE）是Windows Vista，Windows 7，Windows 8和Windows 10中的窗口管理器，支持使用硬件加速來呈現Windows的圖形用戶界面。「 [Wiki]（https://en.wikipedia.org/wiki/Desktop_Window_Manager） – ekeeling

至於其他用戶，您是否可以使用'Get-ADUser -Filter {samaccountname -like「* USERNAME *」}'查詢AD以檢查是否他們是有效的賬戶？他們可能是服務賬戶。如果他們不在AD，你可以在這裏發佈，我會看看我是否認出他們。 – ekeeling

powershell - 從本地服務器獲取上次用戶的最後一次登錄

回答

相關問題