So, A day or so ago. I was in progress of a server retirement and was required to do some minor investigation as to see who may have been using the server if anyone at all. I found this pretty neat little script that is much like UPTIME to see who may have recently logged into the machine and maybe then I can speak to them to see if it is still needed at all. Now sadly, depending on the server the Event log may roll quickly so all the data you may be looking for (Father back in the past) may not be there but that depends on your environment.

function get-logonhistory{
Param (
 [string]$Computer = (Read-Host Remote computer name),
 [int]$Days = 10
 $Result = @()
 Write-Host "Gathering Event Logs, this can take awhile..."
 $ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $Computer
 If ($ELogs)
 { Write-Host "Processing..."
 ForEach ($Log in $ELogs)
 { If ($Log.InstanceId -eq 7001)
   { $ET = "Logon"
   ElseIf ($Log.InstanceId -eq 7002)
   { $ET = "Logoff"
   { Continue
   $Result += New-Object PSObject -Property @{
    Time = $Log.TimeWritten
    'Event Type' = $ET
    User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
 $Result | Select Time,"Event Type",User | Sort Time -Descending | Out-GridView
 Write-Host "Done."
 { Write-Host "Problem with $Computer."
 Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
 Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"

get-logonhistory -Computer "RemoteHostName" -Days "30"

Leave a Reply

Your email address will not be published. Required fields are marked *