Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#
- .LINK
- Source: http://www.spiceworks.com
- .SYNOPSIS
- This script will query a computer for terminal server logon/logoff events, showing username, time logged, and source IP.
- By default, the output will be written to screen, but can be emailed using the built-in parameters.
- .DESCRIPTION
- Checks the event logs of the specified server or servers for Terminal Server session information.
- .PARAMETER After
- Find results that occur after the date specified.
- .PARAMETER Before
- Find resuluts that occur before the date specified.
- .PARAMETER ComputerName
- A comma delimited list of servers (or single entry) to evaluate for RDP sessions. If BaseDN is defined, this parameter is ignored.
- .PARAMETER DomainName
- The domain name you wish to search against. If no domain name is specified, all domain results will be returned.
- .PARAMETER IPAddress
- The IP Address you wish to search against. If no IP Address is specified, all IP addresses will be returned.
- .PARAMETER View
- Enable this switch to view the HTML report using your default .html application.
- .PARAMETER MailFrom
- The email address you wish this report to send from.
- .PARAMETER MailTo
- The email address you wish to send this report to.
- .PARAMETER MailServer
- The IP address or fully-qualified name of the email server to send the report through.
- .PARAMETER UserName
- The user name you wish to search against. If no user name is specified, all users will be returned.
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1
- Show the list of Remote Desktop logon/logoff events from RDSServer1 via Powershell console.
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1
- Show all Remote Desktop logon/logoff events from server RDSServer1 in the event log.
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1 -Before 09/01/2014 -After 08/20/2014 -UserName Rob
- Show RDSServer1 for all RDS logon/logoff activity in the event log between the dates 8/20/2014 and 09/01/2014, but only for the username 'Rob.'
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1,RDSServer2 -UserName Rob -Domain Fabrikam
- Search the server RDSServer1 and RDSServer2 for all RDS logon/logoff activity in the event log for the username of 'Rob' who belongs to the domain 'Fabrikam.'
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1 -MailTo rob@fabrikam.com -MailFrom TSServer_Report@fabrikam.com -MailServer 192.168.0.25
- Search the server RDSServer1 for all RDS logon/logoff activity in the event log and email the result to rob@fabrikam.com
- .EXAMPLE
- Get-TerminalSessionDetails.ps1 -ComputerName RDSServer1 -View
- Search the server RDSServer1 for logon/logoff events and generate HTML report (in the same folder as the script) and open your default HTML viewer when finished.
- .NOTES
- This script has the following prerequisites:
- Administrative rights to the remote server where you are querying event logs, specifically the 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' log.
- #>
- Param(
- [Parameter(ValueFromPipelineByPropertyName=$true,Position=0)] [array] $ComputerName,
- [DateTime] $After = (Get-Date).AddDays(-1),
- [DateTime] $Before = (Get-Date).AddDays(1),
- [IPAddress] $IPAddress,
- [String] $Username,
- [string] $DomainName,
- [string] $MailFrom,
- [string] $MailTo,
- [string] $MailServer,
- [switch] $View
- )
- Begin{
- Clear-Host
- $reportemailsubject = "Terminal Server Report - $(Get-Date)"
- $Log = @()
- #...................................
- # Email Settings
- #...................................
- $smtpsettings = @{
- To = $MailTo
- From = $MailFrom
- Subject = $reportemailsubject
- SmtpServer = $MailServer
- }
- $myDir = Split-Path -Parent $MyInvocation.MyCommand.Path
- $reportfile = "$myDir\RDS-ServerReport.csv"
- }
- Process {
- $Jobs = @()
- ForEach ($Server in $ComputerName)
- { $Jobs += Start-Job -ArgumentList $Server,$After,$Before -ScriptBlock {
- Param (
- [string]$Computer,
- [DateTime] $After = (Get-Date).AddDays(-1),
- [DateTime] $Before = (Get-Date).AddDays(1)
- )
- $IDs = @(
- "21"
- "24"
- "25"
- "23"
- )
- Try
- {
- Get-WinEvent -computername $Computer -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Select MachineName,Message,User,TimeCreated,SourceIP,Id | Where-Object {($IDs -contains $_.id) -and (($_.TimeCreated -gt $After) -and ($_.TimeCreated -lt $Before))}
- }
- Catch
- {
- $Error[0]
- Continue
- }
- }
- }
- $Jobs | Wait-Job
- $Data = $Jobs | Receive-Job
- $Jobs | Remove-Job
- $Results = Foreach ($Event in $Data) {
- $Result = $Event | Select MachineName,Message,User,TimeCreated,SourceIP
- #If no Source IP address was specified
- $Result.TimeCreated = $Event.TimeCreated
- $ipmatch = $false
- $UserNameMatch = $false
- Foreach ($MsgElement in ($Event.Message -split "`n")) {
- $Element = $MsgElement -split ":"
- If ($Element[0] -like "User") {
- $tempUser = $Element[1].Trim(" ")
- $Result.User = $tempUser
- #$Result.User = $Element[1].Trim(" ")
- $Logon = $tempUser -split "\\"
- #$Usernamematch = $true
- If (!$Username) {
- $UserNameMatch = $true
- }
- ElseIf ($Username -eq $Logon[1].trim()){
- $UserNameMatch = $true
- }
- If (!$DomainName) {
- $DomainNameMatch = $true
- }
- ElseIf ($DomainName -eq $Logon[0].trim()){
- $DomainNameMatch = $true
- }
- }
- If ($Element[0] -like "Remote Desktop*") {$Result.Message = $Element[1].Trim(" ")}
- If ($Element[0] -like "Source Network Address"){
- If (!$IPAddress){
- $Result.SourceIP = $Element[1].Trim(" ")
- $IPMatch = $true
- }
- ElseIf ($IPAddress.ToString() -eq $Element[1].Trim(" ")){
- $Result.SourceIP = $Element[1].Trim(" ")
- $IPMatch = $true
- }
- }
- If ($IPMatch -eq $true -and $UserNameMatch -eq $true -and $DomainNameMatch -eq $true) {
- $Log += $Result
- }
- }
- #$Results | Select MachineName,Message,User,TimeCreated,SourceIP
- }
- }
- End {
- If ($Log) {
- $Log | Export-Csv -NoTypeInformation $reportfile -Encoding UTF8
- $LogHTML = $Log | Select * | ConvertTo-Html -Fragment
- $htmlhead="<html>
- <style>
- BODY{font-family: Arial; font-size: 8pt;}
- H1{font-size: 22px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;}
- H2{font-size: 18px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;}
- H3{font-size: 16px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;}
- TABLE{border: 1px solid black; border-collapse: collapse; font-size: 8pt;}
- TH{border: 1px solid #969595; background: #dddddd; padding: 5px; color: #000000;}
- TD{border: 1px solid #969595; padding: 5px; }
- td.pass{background: #B7EB83;}
- td.warn{background: #FFF275;}
- td.fail{background: #FF2626; color: #ffffff;}
- td.info{background: #85D4FF;}
- </style>
- <body>"
- $htmltail = "</body></html>"
- #$htmlreport = $htmlhead + $LogHTML + $htmltail
- If ($MailServer -or $MailFrom -or $MailTo) {
- $htmlhead = "$htmlhead <p>Report of Remote Desktop Connections between $After and $Before. CSV version of report attached to this email.</p>"
- $htmlreport = $htmlhead + $LogHTML + $htmltail
- Send-MailMessage @smtpsettings -Body $htmlreport -BodyAsHtml -Encoding ([System.Text.Encoding]::UTF8) -Attachments $reportfile
- }
- ElseIf ($View) {
- $htmlhead = "$htmlhead <p>Report of Remote Desktop Connections between $After and $Before.</p><br>Report Run on $(Get-Date)"
- $htmlreport = $htmlhead + $LogHTML + $htmltail
- $htmlreport | out-file "$myDir\RDS-ServerReport.html"
- start-process "$myDir\RDS-ServerReport.html"
- }
- Else {
- $Log
- }
- }
- Else {
- Write-Output "No results found"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement