#Win Event Filters/Properties$LogFilter = @{LogName = 'Microsoft-Windows-Termin

1. #Win Event Filters/Properties
2. $LogFilter = @{LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
3. ID = 21, 23, 24, 25
4. }
5.  
6. $ActionProperty = @{Name='Action';Expression={
7. if ($_.ID -eq '21'){"logon"}
8. if ($_.ID -eq '22'){"Shell start"}
9. if ($_.ID -eq '23'){"logoff"}
10. if ($_.ID -eq '24'){"disconnected"}
11. if ($_.ID -eq '25'){"reconnection"}
12. }}
13.  
14.  
15. #Get Records
16. $LoginRecords = Get-WinEvent -FilterHashtable $LogFilter | Where-Object{($_.TimeCreated -ge (Get-Date).AddMinutes(-600))} | Select-Object $ActionProperty,$UserProperty,MachineName,$TimeProperty | Sort-Object -Property TimeCreated -Descending -Unique