使用Powershell的用户登录/注销信息
我希望能够检查远程计算机的用户登录/注销会话和时间,我从stackoverflow获得了以下代码,但我不知道如何告诉脚本检查远程计算机:使用Powershell的用户登录/注销信息,powershell,Powershell,我希望能够检查远程计算机的用户登录/注销会话和时间,我从stackoverflow获得了以下代码,但我不知道如何告诉脚本检查远程计算机: $UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}} $TypeProperty =
$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier
$_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty
$Computername = Read-Host "Enter Computername Here"
Foreach $Computer in $Computername
{
$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty
}
您没有将计算机名传递给循环中的任何命令。因为$computerName中有很多对象,所以它只是循环使用相同的命令尝试将最后一行更改为:
Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty
$computerName | Foreach-Object{Write-Host $_}
但是,看起来您正试图为一台计算机运行它,因此请删除Foreach循环,只需在select语句之前将
-ComputerName$ComputerNameGet EventlogComputerNameGet-EventLog -ComputerName $Computer System -Source Microsoft-Windows-Winlogon `
| select $UserProperty,$TypeProperty,$TimeProeprty
另外,您的
$TimeProeprty# Specify the location you want the report to be saved
$filelocation = "C:\Path\report.csv"
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
[string]$Computer = [Microsoft.VisualBasic.Interaction]::InputBox("Enter ComputerName", "Computer Name", "Computer Name")
[int]$DayPrompt = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Number of Days to check", "Days to Check", "15")
$Days = $DayPrompt
cls
$Result = @()
Write-Host "Gathering Event Logs, this can take awhile..."
$ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(- $Days) -ComputerName $Computer
If ($ELogs)
{ Write-Host "Processing..."
ForEach ($Log in $ELogs)
{ If ($Log.InstanceId -eq 7001)
{ $ET = "Logon"
}
ElseIf ($Log.InstanceId -eq 7002)
{ $ET = "Logoff"
}
Else
{ Continue
}
$Result += New-Object PSObject -Property @{
Time = $Log.TimeWritten
'Event Type' = $ET
User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
$Result | Select Time,"Event Type",User | Sort Time -Descending | Export-CSV $filelocation - TypeInformation
Write-Host "Done."
}
Else
{ Write-Host "Problem with $Computer."
Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
}
获取LogonHistory.ps1param(
[alias("CN")]
$ComputerName="localhost"
)
$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachinenName";e={$_.MachineName}}
foreach ($computer in $ComputerName) {
Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
}
这样,它将显示用户登录的机器。可以将多台远程计算机传递到命令行中,每台计算机之间使用逗号(无空格)。稍微修改一下,它就可以工作了
# Specify the location you want the report to be saved
$filelocation = "C:\report.csv"
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
[string]$Computer = [Microsoft.VisualBasic.Interaction]::InputBox("Enter ComputerName", "Computer Name", "Computer Name")
[int]$DayPrompt = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Number of Days to check", "Days to Check", "15")
$Days = $DayPrompt
cls
$Result = @()
Write-Host "Gathering Event Logs, this can take awhile..."
$ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(- $Days) -ComputerName $Computer
If ($ELogs)
{ Write-Host "Processing..."
ForEach ($Log in $ELogs)
{ If ($Log.InstanceId -eq 7001)
{ $ET = "Logon"
}
ElseIf ($Log.InstanceId -eq 7002)
{ $ET = "Logoff"
}
Else
{ Continue
}
$Result += New-Object PSObject -Property @{
Time = $Log.TimeWritten
'Event Type' = $ET
User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
$Result | Select Time,"Event Type",User | Sort Time -Descending | Export-CSV $filelocation
Write-Host "Done look at $filelocation"
}
Else
{ Write-Host "Problem with $Computer."
Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
}
您可以从ReplacementStrings获取其他信息。您还可以在Get Eventlog命令中指定远程计算机。Dude,您的回复很快。我会很快给你推荐,并让你知道结果。但我得先去喝点咖啡。我马上回来。谢谢克里斯。好吧,我按照你的建议做了,但结果还是一样。我刚刚了解到Get-Eventlog cmdlet确实在此处提供远程访问:。请先简化一下。在计算机名提示后,用以下内容替换整个脚本:Get-EventLog System-Source Microsoft Windows Winlogon-ComputerName$ComputerName是的,我也这样做了,并且不断返回“Get-EventLog:未找到匹配项”错误,但是如果删除-Source Microsoft Windows Winlogon,它在远程计算机上运行正常。由于某些原因,在远程系统上运行时,它不喜欢-Source参数。我也尝试了一下,结果它抛出了一个很长的错误。但是,我确实尝试删除了一些代码,并查看它挂起的位置,这运行正常:Get EventLog-ComputerName$Computer System,但它似乎导致问题的地方是脚本的-Source Microsoft Windows Winlogon部分。这可能是因为该源未被任何日志项引用。您可以尝试运行
Get EventLog-ComputerName$Computer-LogName“System”|选择对象-ExpandProperty“Source”-Unique |排序对象Microsoft Windows WinlogonGet-Eventlog -LogName Security | where {$_.EventId -eq "4624"} | select-object @{Name="User"
;Expression={$_.ReplacementStrings[5]}} | sort-object User -unique