如何使用Powershell读取登录事件和查找用户信息?
如何使用Powershell从Windows事件日志读取登录和注销事件,并从Active Directory检索每个用户的相应信息?以下脚本将从系统日志读取Winlogon事件,根据每个用户的SID从AD检索信息,并在生成的HTML页面中显示结果。缓存每个AD查找的结果,以防止不必要的往返到AD服务器 事件id 7001为登录,事件id 7002为注销 函数WinlogonEventIdToString$EventID{switch$EventID{7001{Logon;break}7002{Logoff;break}} 在Active Directory中查找SID并将结果缓存在哈希表中 $AdUsers=@{} 函数SidToAdUser$sid{ $AdUser=$AdUser[$sid] 如果$AdUser-等式$null{ $AdUser=$AdUsers[$sid]=[adsi]LDAP:// } 返回$AdUser } $outputFilename=[System.IO.Path]::GetTempPath+DisplayLatestLogonEvents.html 第一个Select从事件日志条目中提取SID,并将事件id转换为描述性字符串 第二个Select负责使用SID在Active Directory中查找用户对象 最终选择从用户对象中拾取各种属性数据,准备在表中显示 要仅检索最近的日志条目,可以在Get-EventLog:-After-Get-Date.AddDays-14中使用类似的内容 获取事件日志-日志名系统-源Microsoft Windows Winlogon-InstanceId 70017002` |选择TimeGenerated,@{n='Operation';e={winlogoneventitostring$\.EventID}},@{n='SID';e={$\.ReplacementStrings[1]}` |选择TimeGenerated,Operation,@{n='AdUser';e={SidToAdUser$\ uuu.SID}` |选择TimeGenerated,Operation` @{n='Username';e={$\u.AdUser.sAMAccountName}` @{n='Full name';e={$\.AdUser.firstname++$\.AdUser.lastname}` @{n='Title';e={$\u.AdUser.Title}` @{n='Department';e={$\u.AdUser.Department}` @{n='Company';e={$\u.AdUser.Company}` |转换为HTML-头td,th{border:1px solid grey}输出文件$outputFilename 这将打开默认的web浏览器 调用表达式$outputFilename如何使用Powershell读取登录事件和查找用户信息?,powershell,login,active-directory,event-log,winlogon,Powershell,Login,Active Directory,Event Log,Winlogon,如何使用Powershell从Windows事件日志读取登录和注销事件,并从Active Directory检索每个用户的相应信息?以下脚本将从系统日志读取Winlogon事件,根据每个用户的SID从AD检索信息,并在生成的HTML页面中显示结果。缓存每个AD查找的结果,以防止不必要的往返到AD服务器 事件id 7001为登录,事件id 7002为注销 函数WinlogonEventIdToString$EventID{switch$EventID{7001{Logon;break}7002{L
对于Active Directory域的成员Windows 10 professional,此脚本将为所选用户生成登录/注销时间列表,包括屏幕保护程序锁定屏幕中的事件。Powershell脚本记录活动工作时间,无需应用程序
# original source: https://community.spiceworks.com/topic/764481-get-logon-off-workstation-lock-unlock-times
# cleaned up, filtered by username, and included lock by screensaver timeout by kevin, Dec 2018
# must enable auditing via secpol.msc
# Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success
$days = 30
$username = "kevin"
Write-Host "Retrieving last $days days of user: $username, logon/logoff activity... please wait
$events = @()
$events += Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=@(4624,4800,4634)
StartTime=(Get-Date).AddDays(-$days)
}
$type_lu = @{
4624 = 'Logon'
4800 = 'Logoff' # screensaver lock
4634 = 'Logoff' # explicit
}
$ns = @{'ns'='http://schemas.microsoft.com/win/2004/08/events/event'}
$target_xpath = "//ns:Data[@Name='TargetUserName']"
$usersid_xpath = "//ns:Data[@Name='UserSid']"
If($events) {
$results = ForEach($event in $events) {
$xml = $event.ToXml()
Switch -Regex ($event.Id) {
'4...' {
$user = (
Select-Xml -Content $xml -Namespace $ns -XPath $target_xpath
).Node.'#text'
Break
}
'7...' {
$sid = (
Select-Xml -Content $xml -Namespace $ns -XPath $usersid_xpath
).Node.'#text'
$user = (
New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList $sid
).Translate([System.Security.Principal.NTAccount]).Value
Break
}
}
if($username -eq $user) {
New-Object -TypeName PSObject -Property @{
Time = $event.TimeCreated
Id = $event.Id
Type = $type_lu[$event.Id]
User = $user
}
}
}
If($results) {
$results
}
}
C:\WINDOWS\system32>powershell -file C:\desk\path\timetracker.ps1
Retrieving last 10 days of user: kevin, logon/logoff activity
Time User Id Type
---- ---- -- ----
12/4/2018 1:39:22 PM kevin 4634 Logoff
12/4/2018 1:39:19 PM kevin 4800 Logoff
12/4/2018 1:10:28 PM kevin 4634 Logoff
12/4/2018 1:10:28 PM kevin 4624 Logon
12/4/2018 12:57:32 PM kevin 4634 Logoff
12/4/2018 12:57:32 PM kevin 4624 Logon
12/4/2018 12:29:43 PM kevin 4624 Logon
12/4/2018 11:48:11 AM kevin 4634 Logoff
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name='TargetUserName']='kevin']]</Select>
</Query>
</QueryList>
Powershell也有Get-EventLog cmdlet,但我发现它缺少选项。如果您不想寻找答案,为什么要发布一个问题???因此,如果其他人想问,答案已经存在。@AutumnBaril我发现您的问题和答案是有益的,并且有+1的问题。