I found a script here: https://serverfault.com/questions/479048/remote-desktop-services-login-history
Here is the script:
Get-Eventlog -LogName Security | where {$_.EventId -eq "4624"} | select-object @{Name="User"
;Expression={$_.ReplacementStrings[5]}} | sort-object User -unique |ogv
The goal is to search for a specific user and see when was the last time that he have login to the terminal server, and with that script, i'am unable to make it to show the date too, only the user name, I've tried to add some property after running get-member, but didn't got any success
thank you for your help
You can use the Get-WinEvent
cmdlet for this like below:
$user = 'The SamAccountName of the user you want to track'
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 100 |
Where-Object {$_.Properties[5].Value -eq $user } |
Select-Object -Property @{Name = 'UserName'; Expression = { $_.Properties[5].Value }},
@{Name = 'LogonTime'; Expression = { $_.TimeCreated }},
MachineName |
Out-GridView
# $_.Properties[5].Value --> TargetUserName
The -MaxEvents 100
is just an example. Change that value or remove the parameter alltogether if you need to
To retrieve only 3events, use the -MaxEvents
parameter with value 3.
You can also select the (last) 3 events afterwards if that is what you want by appending -Last 3
to the Select-Object
command.
To see what the Properties array contains for this event ID, you can do
$props = (Get-WinEvent -MaxEvents 1 -FilterHashtable @{LogName='Security';ID=4624}).Properties
for ($i = 0; $i -lt $props.Count; $i++) {
"Properties[$i].Value --> {0}" -f $props[$i].Value
}
Comparing this to what you can read in the XML-view of eventvwr.exe:
SubjectUserSid = 0 SubjectUserName = 1 SubjectDomainName = 2 SubjectLogonId = 3 TargetUserSid = 4 TargetUserName = 5 TargetDomainName = 6 TargetLogonId = 7 LogonType = 8 LogonProcessName = 9 AuthenticationPackageName = 10 WorkstationName = 11 LogonGuid = 12 TransmittedServices = 13 LmPackageName = 14 KeyLength = 15 ProcessId = 16 ProcessName = 17 IpAddress = 18 IpPort = 19
These values differ when asking for other events and are only valid for LogName='Security';ID=4624