Logons der letzten 7 Tage auslesen

$filter = @{
    LogName      = 'System'
    ProviderName = 'Microsoft-Windows-Winlogon'
    StartTime    = (Get-Date).AddDays(-7)
}

$logs = Get-WinEvent -FilterHashtable $filter

$res = @()
ForEach ($log in $logs) {
    if ($log.Id -eq 7001) {$type = "Logon"}
    elseif ($log.Id -eq 7002) {$type = "Logoff"}
    else {Continue}

    # Check if Properties[1] exists before accessing
    if ($log.Properties.Count -gt 1) {
        try {
            $user = (New-Object System.Security.Principal.SecurityIdentifier $log.Properties[1].Value).Translate([System.Security.Principal.NTAccount])
        } catch {
            $user = "Unknown User"
        }
    } else {
        $user = "Unknown User"
    }

    $res += [PSCustomObject]@{
        Time = $log.TimeCreated
        Event = $type
        User = $user
    }
}

$res

Beliebte Posts aus diesem Blog

Shutdown / Lastlogon Analyse

Wer hat das System heruntergefahren: Get-EventLog - LogName system - Source user32 - Newest 1 | fl * Logons der letzten 7 Tage: $filter = @ {     LogName       = 'System'     ProviderName = 'Microsoft-Windows-Winlogon'     StartTime     = ( Get-Date ). AddDays ( -7 ) } $logs = Get-WinEvent - FilterHashtable $filter $res = @ () ForEach ( $log in $logs ) {     if ( $log . Id -eq 7001 ) { $type = "Logon" }     elseif ( $log . Id -eq 7002 ) { $type = "Logoff" }     else { Continue }     # Check if Properties[1] exists before accessing     if ( $log . Properties . Count -gt 1 ) {         try {             $user = ( New-Object System.Security.Principal.SecurityIdentifier $log . Properties [ 1 ]. Value ). Translate ([ System.Security.Principal.NTAccount ])         } catch { ...
Mehr anzeigen