re: Use PowerShell to Find Logon Sessions

joel de la torre — Mon, 06 Jun 2011 14:43:48 GMT

I also this on my blog at http://datatypes.blogspot.com

re: Use PowerShell to Find Logon Sessions

Sean Kearney — Sun, 05 Jun 2011 17:54:08 GMT

Joel

I like that! Another tool to add to our kits! I LOVE the Power of community here! Thanks for contributing.

If you have a few minutes, could you pop that into the Script Repository? NICE JOB! :)

Sean

re: Use PowerShell to Find Logon Sessions

joel de la torre — Sat, 04 Jun 2011 22:42:45 GMT

If you have enabled 'Audit account logon Events' on your Win2008 server you can query for event: 4768; A Kerberos Ticket Request. The event has the username and computername where the request originated from. Just as your request isn't perfect, neither is this. Its just an alternative if you dont have a share where all your users are connected to.

function Get-UserComputerName {

.SYNOPSIS

Searches a specified Domain Controller for the computername of a logged on user.

.DESCRIPTION

Queries a DC for Event ID 4768 (Kerberos authentication ticket,TGT) request from the servers Security

event log.

.PARAMETER UserName

SamAccount name of the user to search for

.EXAMPLE

PS> .\Get-UserComputerName -UserName "John_Doe" -Server "My_DC"

Searches for user John_Doe on Domain Controller My_DC

.EXAMPLE

PS> .\Get-UserComputerName -Username "John_Doe"

Searches for user John_Doe using the logged on server name for the current user

running the script.

.EXAMPLE

PS> .\Get-UserComputerName

Searches the current user on the logged on server name

param([string]$username = $env:username,[string]$server = $env:logonserver)

$ErrorActionPreference = "silentlycontinue"

if ($server.StartsWith("\\")) {$server = $server.Remove(0,2)}

$events = Get-WinEvent -ComputerName $server -MaxEvents 5 -FilterHashTable @{logname="security";id=4768;data=$username}

# Check if error has been raised from EventLog Query.

if (!$?) {Write-Warning "No successful logon events were found on Server: $server for Username: $username"

break

}

foreach ($event in $events) {

$myObject = New-Object -TypeName system.Object

[string]$Computer = $event.message.split("`n") | Select-String "Client Address"

$addressLine = $computer.replace("Client Address:",'')

$addressLine = $addressLine.trim()

if ($addressLine.startswith("::ffff:")) { $address = $addressLine.replace("::ffff:",'') }

$DNSResult = [system.Net.Dns]::Resolve($address)

$ComputerName = $DNSResult.HostName

$timeStamp = $event.timecreated

$myObject | Add-Member -MemberType noteproperty -Name AuthDC -Value $server

$myObject | Add-Member -MemberType noteproperty -Name TimeStamp -Value $timeStamp

$myObject | Add-Member -MemberType noteproperty -Name UserName -Value $username

$myObject | Add-Member -MemberType noteproperty -Name IPAddress -Value $address

$myObject | Add-Member -MemberType noteproperty -Name ComputerName -Value $computerName

$myObject

}