How to get user last login time without any additional modules in powershell?_问答_开发者

How to get user last login time without any additional modules in powershell?

开发者 https://www.devze.com 2023-04-03 20:32 出处：网络

Can I get specific user login time logged into server 开发者_StackOverflow社区not using any AD modules or additional snapins?Best way I would suggest is to parse the event log using the built in cmdle

Can I get specific user login time logged into server 开发者_StackOverflow社区not using any AD modules or additional snapins?

Best way I would suggest is to parse the event log using the built in cmdlets

Research either Get-EventLog or Get-WinEvent

On a local machine, something like this would tell you all the instances where user "TBIRD" successfully logged in

Get-EventLog Security | 
   where {$_.EntryType -match 'Success' 
     -and $_.Message -match 'An account was successfully logged on.'} | 
   where {$_.Message -match 'TBIRD'}

I'm sure a cleaner parse of available properties would avoid parsing through the Message field, this is just a quick & dirty example to guide you in the right direction

You can use ADSI. Its' built in Framework .NET 2.0, so no snapin, no module.

And get lastLogon attribute (edited or better lastLoginTimestamp)

$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://SRVA.dom.fr/dc=dom,dc=fr","administrateur@dom.fr","admin")

# Look for a user
$Rech = new-object System.DirectoryServices.DirectorySearcher($dn)
$Rech.filter = "((userPrincipalName=phocquet@dom.fr))"
$Rech.SearchScope = "subtree"
$Rech.PropertiesToLoad.Add("distinguishedName");
$Rech.PropertiesToLoad.Add("sAMAccountName");  
$Rech.PropertiesToLoad.Add("lastLogon");  

$liste = $Rech.FindOne()

(Edited) @Chritian is right you'd better use lastLoginTimestamp not lastLogin, since lastLogin is not replicated accross Active Directory domain controllers, so if you have mutiple domain controllers that user authenticate against lastLogin will be updated only on the current authenticating server, while lastLoginTimestamp will be replicated accross all the domain controllers.For more information on that see “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”. It explain that lastLoginTimestamp is not update at each logon, but it's just 9-14 dat accurate (can be parametred), it's more to help identify inactive computer and user accounts.

If you are looking for “real-time” logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008. It looks like the best for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database

You can only rely on lastLogonTimeStamp if you are interested in logontimes that are older than 15 days. It seems to be that may be interested in getting last logon times that are within the last 15 days, in which case, lastLogonTimestamp is not going to give you accurate results.

In general, the correct way to do this is to query each DC in your domain for the lastLogon attribute, then compare all those values to find out the user's true last logon time. This is the only way to get 100% accurate results irrespective of whether the last logon was before or after 15 days.

You can write a script to do fetch these values from all the DCs and then compare them to determine the true last logon for the user, or you can use a True Last Logon Reporting Tool to automate the process for you.