powershell-从本地服务器获取上次用户的上次登录
我一直在编写一个脚本来显示每个登录到终端服务器的用户的最后一次登录 如果用户不在域上,则脚本可以工作,但当他们在域上时,它将显示尚未登录到该特定服务器的用户 是否有一种方法可以让我编辑脚本,使其只显示登录到该特定服务器的用户 代码如下:powershell-从本地服务器获取上次用户的上次登录,powershell,Powershell,我一直在编写一个脚本来显示每个登录到终端服务器的用户的最后一次登录 如果用户不在域上,则脚本可以工作,但当他们在域上时,它将显示尚未登录到该特定服务器的用户 是否有一种方法可以让我编辑脚本,使其只显示登录到该特定服务器的用户 代码如下: #This script will check which users have logged on in the last X days #Set Variables #Change the number in the parenthesis after ad
#This script will check which users have logged on in the last X days
#Set Variables
#Change the number in the parenthesis after adddays to change how far back
to filter
#example (get-date).adddays(-30) gets all logins for the last 30 days from
today (-60) would be the last 60 days
$AuditDate = Get-Date (get-date).adddays(-30) -format "MM/dd/yyyy h:mm:ss
tt"
$ComputerName = $env:COMPUTERNAME
$CurrentDate = Get-Date -UFormat "%Y-%m-%d"
#Delete any previously created files
Get-ChildItem -Path "C:\PowerShellScripts\LastLogon\Results" -Recurse |
Where-Object CreationTime -lt (Get-Date).AddDays(-0) | Remove-Item -
ErrorAction SilentlyContinue
#The Login Profile is filtered here
Get-WmiObject -class Win32_NetworkLoginProfile -ComputerName $ComputerName|
#Where-Object -FilterScript {$_.LogonServer -like $ComputerName}|
Where-Object -FilterScript {$_.FullName -notlike "*Agvance*"} |
Where-Object -FilterScript {$_.FullName -notlike "*Sophos*"} |
Where-Object -FilterScript {$_.FullName -ne "AgvAdmin"} |
Where-Object -FilterScript {$_.FullName -ne ""} |
Where-Object {$_.Name -notlike "*ssi1*"}|
Where-Object {$_.Name -notlike "*ssi2*"}|
Where-Object {$_.Name -notlike "*ssi3*"}|
Where-Object {$_.Name -notlike "*ssi4*"}|
Where-Object {$_.Name -notlike "*ssi5*"}|
Where-Object {$_.Name -notlike "*ssi6*"}|
Where-Object {$_.Name -notlike "*ssi7*"}|
Where-Object {$_.Name -notlike "*ssi8*"}|
Where-Object {$_.Name -notlike "*ssi9*"}|
Where-Object {$_.Name -notlike "*ssiadmin*"}|
Where-Object -FilterScript {$_.Name -notlike "*SYSTEM*"} |
Where-Object -FilterScript {$_.Name -notlike "*SERVICE*"} |
Where-Object -FilterScript {!
[System.String]::IsNullOrWhiteSpace($_.LastLogon)} |
Where-Object -FilterScript {$_.ConvertToDateTime($_.LastLogon) -ge
$AuditDate} |
Select-Object Name,LogonServer,@{label='LastLogon';expression=
{$_.ConvertToDateTime($_.LastLogon)}} -ErrorAction SilentlyContinue | sort-
object Name | Export-Csv
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation
#Extra filter to filter out SSI users
#Import-Csv C:\PowerShellScripts\Results\LastLogon.csv | Where-Object
{$_.Name -notlike "*ssi*"} |Export-Csv
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation -Force
#The user count is created here
$number = (Import-Csv C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv |
measure | % { $_.Count})
#The file is renamed to include computername, date, and user count
rename-item -path C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NewName C:\PowerShellScripts\Lastlogon\Results\LastLogon-$ComputerName-$CurrentDate-UserCount-$number.csv
您可以尝试一下,看看它是否满足您的需要
$time = (Get-Date) – (New-TimeSpan -Day 30)
# You can additional filters in ? { $_.Properties[1].Value -ne 'SYSTEM' } by
# modifying it with -and statements
# i.e. ? { ($_.Properties[1].Value -ne 'SYSTEM') -and ($_.Properties[1].Value -ne 'USER')}
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672;starttime=$time} -ComputerName $ComputerName | ? { $_.Properties[1].Value -ne 'SYSTEM' } | select @{N='User';E={$_.Properties[1].Value}}, @{N='TimeCreated';E={$_.TimeCreated}}
这将工作,但我得到了很多的DWM-XXXX显示。我不确定这些是否是实际用户,但我确实认识其中的一些其他用户。DWM代表桌面Windows管理器。这些可以与系统帐户一样过滤掉。引用Wikipedia Desktop Window Manager DWM,以前的桌面合成引擎或DCE是Windows Vista、Windows 7、Windows 8和Windows 10中的窗口管理器,它支持使用硬件加速来呈现Windows的图形用户界面。至于其他用户,您是否可以使用“Get ADUser-Filter{samaccountname-like USERNAME}”查询AD以检查他们是否是有效的帐户?它们可能是服务帐户。如果他们不在广告中,你可以把他们贴在这里,我会看看我是否认识他们。这个脚本确实带回了一些用户,但它似乎没有显示所有用户,它只显示到25号。这可能是因为事件日志只能保存这么多。至于只能追溯到25日,系统只允许日志增长到某个特定的大小,然后开始覆盖条目。您可以通过以下方式查看属性:1登录到服务器;2.进入事件日志安全;3.右键点击安全事件日志;4点击属性。您将看到最大日志大小KB字段。日志达到此大小后,它将开始覆盖。如果需要将条目保留更长时间,请增加该值。您还可以将其设置为存档日志,以便以后可以引用它。