How to get a list of users logged to a computer in the past 2 weeks?

This topic contains 4 replies, has 4 voices, and was last updated by Profile photo of Kevin Sexton Kevin Sexton 2 months, 2 weeks ago.

  • Author
    Posts
  • #61065
    Profile photo of Del
    Del
    Participant

    Hi there,

    Our CEO asked me to get him a list of all users logged into his computer in the past 2 weeks while he's on vacation!
    He believes that someone logged into his computer.

    I'm new to PS. I know only how to get current logged user.
    Get-WmiObject -class win32_Computersystem -Property Username -ComputerName localhost

    I found some scripts online, but doesn't work! also I can find some scripts that can show only last day! tried to manipulate the script to get info from (start date – last date) but didn't work! I'm pretty sure there's a cmdlet for this.

    Appreciate your help!

    Thanks

  • #61068
    Profile photo of Olaf Soyk
    Olaf Soyk
    Participant

    Why don't you show what you've tried so far and we will be pleased to help you if we can. To post code here in the forum you should format it as code like explained in this post: How to Format Code in the Forums

  • #61074
    Profile photo of Del
    Del
    Participant

    I found this cmdlet, it works, but doesn't show the username 🙁

    Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-15) -ComputerName localhost

  • #61080
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    If you did a little more searching "Powershell Microsoft-Windows-WinLogon", you'll get results for how to dive deeper and get the username. I found this thread and updated the function:

    function Get-LogonHistory {
        [CmdLetBinding()]
        Param (
            [string]$ComputerName = $env:COMPUTERNAME,
            [int]$Days = 10
        )
        begin{}
        process{
    
            Write-Verbose "Gathering Event Logs, this can take awhile..."
    
            $params = @{
                LogName = "System"
                Source = "Microsoft-Windows-WinLogon"
                After = (Get-Date).AddDays(-$Days)
                ComputerName = $ComputerName
                ErrorAction = "Stop"
            }
    
            try {
                $events = Get-EventLog @params
    
                if ( $events ) {
                    Write-Verbose "Completed gathering logs, generating PSObject..."
                    $results = foreach ( $event in $events ) { 
        
                        switch ( $event.InstanceId ) {
                            7001 { $logonType = "Logon" }
                            7002 { $logonType = "LogOff" }
                            default { $logonType = "Unknown ($_)" }
                        }
    
                        New-Object PSObject -Property @{
                            Time         = $event.TimeWritten
                            EventType    = $logonType
                            User         = (New-Object System.Security.Principal.SecurityIdentifier $event.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
                        }
                    }
                }
                else {
                    Write-Verbose ("No events found on {0} within {1} days" -f $ComputerName, $Days)
                }
            }
            catch {
                Write-Verbose ("There was a problem gathering events on {0}. {1}" -f $ComputerName, $_)
            }
        }
        end {
            $results
        }
    }
    
    Get-LogonHistory -Verbose
    
    
  • #61261
    Profile photo of Kevin Sexton
    Kevin Sexton
    Participant

    We added a 1-liner to the global logon script which writes the logon information to a SQL table. We have a webpage which allows you to query the information. It is VERY useful. ***I realize that doesn't answer the question.

    -Kevin

You must be logged in to reply to this topic.