API tools faq
paste
Advertisement
bwood42

Powershell Get-Laslogon Example

bwood42
May 30th, 2014
449
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.41 KB | None | 0 0
raw download clone embed print report
  1. Function Get-LastLogon
  2. {
  3. <#
  4.  
  5. .SYNOPSIS
  6. This function will list the last user logged on or logged in.
  7.  
  8. .DESCRIPTION
  9. This function will list the last user logged on or logged in. It will detect if the user is currently logged on
  10. via WMI or the Registry, depending on what version of Windows is running on the target. There is some "guess" work
  11. to determine what Domain the user truly belongs to if run against Vista NON SP1 and below, since the function
  12. is using the profile name initially to detect the user name. It then compares the profile name and the Security
  13. Entries (ACE-SDDL) to see if they are equal to determine Domain and if the profile is loaded via the Registry.
  14.  
  15. .PARAMETER ComputerName
  16. A single Computer or an array of computer names. The default is localhost ($env:COMPUTERNAME).
  17.  
  18. .PARAMETER FilterSID
  19. Filters a single SID from the results. For use if there is a service account commonly used.
  20.  
  21. .PARAMETER WQLFilter
  22. Default WQLFilter defined for the Win32_UserProfile query, it is best to leave this alone, unless you know what
  23. you are doing.
  24. Default Value = "NOT SID = 'S-1-5-18' AND NOT SID = 'S-1-5-19' AND NOT SID = 'S-1-5-20'"
  25.  
  26. .EXAMPLE
  27. $Servers = Get-Content "C:\ServerList.txt"
  28. Get-LastLogon -ComputerName $Servers
  29.  
  30. This example will return the last logon information from all the servers in the C:\ServerList.txt file.
  31.  
  32. Computer : SVR01
  33. User : WILHITE\BRIAN
  34. SID : S-1-5-21-012345678-0123456789-012345678-012345
  35. Time : 9/20/2012 1:07:58 PM
  36. CurrentlyLoggedOn : False
  37.  
  38. Computer : SVR02
  39. User : WILIHTE\BRIAN
  40. SID : S-1-5-21-012345678-0123456789-012345678-012345
  41. Time : 9/20/2012 12:46:48 PM
  42. CurrentlyLoggedOn : True
  43.  
  44. .EXAMPLE
  45. Get-LastLogon -ComputerName svr01, svr02 -FilterSID S-1-5-21-012345678-0123456789-012345678-012345
  46.  
  47. This example will return the last logon information from all the servers in the C:\ServerList.txt file.
  48.  
  49. Computer : SVR01
  50. User : WILHITE\ADMIN
  51. SID : S-1-5-21-012345678-0123456789-012345678-543210
  52. Time : 9/20/2012 1:07:58 PM
  53. CurrentlyLoggedOn : False
  54.  
  55. Computer : SVR02
  56. User : WILIHTE\ADMIN
  57. SID : S-1-5-21-012345678-0123456789-012345678-543210
  58. Time : 9/20/2012 12:46:48 PM
  59. CurrentlyLoggedOn : True
  60.  
  61. .LINK
  62. http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx
  63. http://msdn.microsoft.com/en-us/library/system.security.principal.securityidentifier.aspx
  64.  
  65. .NOTES
  66. Author: Brian C. Wilhite
  67. Email: [email protected]
  68. Date: "09/20/2012"
  69. Updates: Added FilterSID Parameter
  70. Cleaned Up Code, defined fewer variables when creating PSObjects
  71. ToDo: Clean up the UserSID Translation, to continue even if the SID is local
  72. #>
  73.  
  74. [CmdletBinding()]
  75. param(
  76. [Parameter(Position=0,ValueFromPipeline=$true)]
  77. [Alias("CN","Computer")]
  78. [String[]]$ComputerName="$env:COMPUTERNAME",
  79. [String]$FilterSID,
  80. [String]$WQLFilter="NOT SID = 'S-1-5-18' AND NOT SID = 'S-1-5-19' AND NOT SID = 'S-1-5-20'"
  81. )
  82.  
  83. Begin
  84. {
  85. #Adjusting ErrorActionPreference to stop on all errors
  86. $TempErrAct = $ErrorActionPreference
  87. $ErrorActionPreference = "Stop"
  88. #Exclude Local System, Local Service & Network Service
  89. }#End Begin Script Block
  90.  
  91. Process
  92. {
  93. Foreach ($Computer in $ComputerName)
  94. {
  95. $Computer = $Computer.ToUpper().Trim()
  96. Try
  97. {
  98. #Querying Windows version to determine how to proceed.
  99. $Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Computer
  100. $Build = $Win32OS.BuildNumber
  101.  
  102. #Win32_UserProfile exist on Windows Vista and above
  103. If ($Build -ge 6001)
  104. {
  105. If ($FilterSID)
  106. {
  107. $WQLFilter = $WQLFilter + " AND NOT SID = `'$FilterSID`'"
  108. }#End If ($FilterSID)
  109. $Win32User = Get-WmiObject -Class Win32_UserProfile -Filter $WQLFilter -ComputerName $Computer
  110. $LastUser = $Win32User | Sort-Object -Property LastUseTime -Descending | Select-Object -First 1
  111. $Loaded = $LastUser.Loaded
  112. $Script:Time = ([WMI]'').ConvertToDateTime($LastUser.LastUseTime)
  113.  
  114. #Convert SID to Account for friendly display
  115. $Script:UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
  116. $User = $Script:UserSID.Translate([System.Security.Principal.NTAccount])
  117. }#End If ($Build -ge 6001)
  118.  
  119. If ($Build -le 6000)
  120. {
  121. If ($Build -eq 2195)
  122. {
  123. $SysDrv = $Win32OS.SystemDirectory.ToCharArray()[0] + ":"
  124. }#End If ($Build -eq 2195)
  125. Else
  126. {
  127. $SysDrv = $Win32OS.SystemDrive
  128. }#End Else
  129. $SysDrv = $SysDrv.Replace(":","$")
  130. $Script:ProfLoc = "\\$Computer\$SysDrv\Documents and Settings"
  131. $Profiles = Get-ChildItem -Path $Script:ProfLoc
  132. $Script:NTUserDatLog = $Profiles | ForEach-Object -Process {$_.GetFiles("ntuser.dat.LOG")}
  133.  
  134. #Function to grab last profile data, used for allowing -FilterSID to function properly.
  135. function GetLastProfData ($InstanceNumber)
  136. {
  137. $Script:LastProf = ($Script:NTUserDatLog | Sort-Object -Property LastWriteTime -Descending)[$InstanceNumber]
  138. $Script:UserName = $Script:LastProf.DirectoryName.Replace("$Script:ProfLoc","").Trim("\").ToUpper()
  139. $Script:Time = $Script:LastProf.LastAccessTime
  140.  
  141. #Getting the SID of the user from the file ACE to compare
  142. $Script:Sddl = $Script:LastProf.GetAccessControl().Sddl
  143. $Script:Sddl = $Script:Sddl.split("(") | Select-String -Pattern "[0-9]\)$" | Select-Object -First 1
  144. #Formatting SID, assuming the 6th entry will be the users SID.
  145. $Script:Sddl = $Script:Sddl.ToString().Split(";")[5].Trim(")")
  146.  
  147. #Convert Account to SID to detect if profile is loaded via the remote registry
  148. $Script:TranSID = New-Object System.Security.Principal.NTAccount($Script:UserName)
  149. $Script:UserSID = $Script:TranSID.Translate([System.Security.Principal.SecurityIdentifier])
  150. }#End function GetLastProfData
  151. GetLastProfData -InstanceNumber 0
  152.  
  153. #If the FilterSID equals the UserSID, rerun GetLastProfData and select the next instance
  154. If ($Script:UserSID -eq $FilterSID)
  155. {
  156. GetLastProfData -InstanceNumber 1
  157. }#End If ($Script:UserSID -eq $FilterSID)
  158.  
  159. #If the detected SID via Sddl matches the UserSID, then connect to the registry to detect currently loggedon.
  160. If ($Script:Sddl -eq $Script:UserSID)
  161. {
  162. $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]"Users",$Computer)
  163. $Loaded = $Reg.GetSubKeyNames() -contains $Script:UserSID.Value
  164. #Convert SID to Account for friendly display
  165. $Script:UserSID = New-Object System.Security.Principal.SecurityIdentifier($Script:UserSID)
  166. $User = $Script:UserSID.Translate([System.Security.Principal.NTAccount])
  167. }#End If ($Script:Sddl -eq $Script:UserSID)
  168. Else
  169. {
  170. $User = $Script:UserName
  171. $Loaded = "Unknown"
  172. }#End Else
  173.  
  174. }#End If ($Build -le 6000)
  175.  
  176. #Creating Custom PSObject For Output
  177. New-Object -TypeName PSObject -Property @{
  178. Computer=$Computer
  179. User=$User
  180. SID=$Script:UserSID
  181. Time=$Script:Time
  182. CurrentlyLoggedOn=$Loaded
  183. } | Select-Object Computer, User, SID, Time, CurrentlyLoggedOn
  184.  
  185. }#End Try
  186.  
  187. Catch
  188. {
  189. If ($_.Exception.Message -Like "*Some or all identity references could not be translated*")
  190. {
  191. Write-Warning "Unable to Translate $Script:UserSID, try filtering the SID `nby using the -FilterSID parameter."
  192. Write-Warning "It may be that $Script:UserSID is local to $Computer, Unable to translate remote SID"
  193. }
  194. Else
  195. {
  196. Write-Warning $_
  197. }
  198. }#End Catch
  199.  
  200. }#End Foreach ($Computer in $ComputerName)
  201.  
  202. }#End Process
  203.  
  204. End
  205. {
  206. #Resetting ErrorActionPref
  207. $ErrorActionPreference = $TempErrAct
  208. }#End End
  209.  
  210. }# End Function Get-LastLogon
  211.  
  212.  
  213.  
  214.  
  215.  
  216. $serverlist = Get-ADComputer -Filter 'OperatingSystem -like "*Server*"'
  217.  
  218. foreach ($server in $serverlist)
  219. {
  220.  
  221. Get-lastlogon -Computername $server.name | Select * | Export-Csv e:\scripts\output\Last_Logon_Stuff.csv -Append -NoTypeInformation
  222.  
  223. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!