24 October 2018

User Logon Reporting

If you have to track the login times for a specific user, this tool will generate a report for you that scans the event viewer logs for ID 4624. The tool parses each event and retrieves the user name, securityID, type of logon, computer name, and time stamp. It formats the output and writes it to a centralized CSV file in the event this tool is deployed to multiple machines at once. The tool has the ability to 'wait for its turn' to write to the file when it is deployed to multiple systems.

I have the script translate what each of the logon types is. If you do not want a specific logon type to be reported, you can comment out that type within the switch cmdlet and it will not appear in the report.

NOTE: I originally wrote this script to have Get-WinEvent remotely execute on a machine using the -computer parameter and the time required was huge, especially on older systems with three months plus of event viewer data. It took almost 30 minutes. It ended up being much quicker to deploy the script via an SCCM package.

You can download the script from my GitHub site located here.


 <#  
      .SYNOPSIS  
           Logon Reporting  
        
      .DESCRIPTION  
           This script will report the computername, username, IP address, and date/time to a central log file.  
        
      .PARAMETER LogFile  
           A description of the LogFile parameter.  
        
      .NOTES  
           ===========================================================================  
           Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.142  
           Created on:       10/22/2018 10:13 AM  
           Created by:       Mick Pletcher  
           Filename:         LogonReport.ps1  
           ===========================================================================  
 #>  
 [CmdletBinding()]  
 param  
 (  
      [ValidateNotNullOrEmpty()]  
      [string]$LogFile = 'LogonReport.csv'  
 )  
   
 $Entries = @()  
 $IPv4 = foreach ($ip in (ipconfig) -like '*IPv4*') {($ip -split ' : ')[-1]}  
 $DT = Get-Date  
 foreach ($IP in $IPv4) {  
      $object = New-Object -TypeName System.Management.Automation.PSObject  
      $object | Add-Member -MemberType NoteProperty -Name ComputerName -Value $env:COMPUTERNAME  
      $object | Add-Member -MemberType NoteProperty -Name UserName -Value $env:USERNAME  
      $object | Add-Member -MemberType NoteProperty -Name IPAddress -Value $IP  
      $object | Add-Member -MemberType NoteProperty -Name DateTime -Value (Get-Date)  
      $object  
      $Entries += $object  
 }  
 foreach ($Entry in $Entries) {  
      Do {  
           Try {  
                Export-Csv -InputObject $Entry -Path $LogFile -Encoding UTF8 -NoTypeInformation -NoClobber -Append  
                $Success = $true  
           } Catch {  
                $Success = $false  
                Start-Sleep -Seconds 1  
           }  
      } while ($Success -eq $false)  
 }  
   
Reactions:

0 comments:

Post a Comment