3

我希望能够检查远程计算机的用户登录/注销会话和时间,并且我有以下从 stackoverflow 获得的代码,但我无法弄清楚如何告诉脚本检查远程计算机:

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier  
$_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}

Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty

我确实抛出了一个 $Computername 变量和一个 Foreach 循环语句,如下所示,试图让它在远程计算机上运行,​​但它一直在检查我所在的本地系统,而不是远程系统:

$Computername = Read-Host "Enter Computername Here"

Foreach $Computer in $Computername

    {
        $UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
        $TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
        $TimeProeprty = @{n="Time";e={$_.TimeGenerated}}

        Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty
    }
4

6 回答 6

3

我知道这是一个老问题,但从未接受过任何答案。问题之一是脚本没有显示用户登录的机器。无论如何,我把它修好了(包括错字)。

Get-LogonHistory.ps1

param(
    [alias("CN")]
    $ComputerName="localhost"
)

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachinenName";e={$_.MachineName}}

foreach ($computer in $ComputerName) {
    Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
}

这样,它将显示用户登录的机器。可以将多台远程计算机传递到命令行,每台计算机之间使用逗号(无空格)。

于 2015-07-23T20:39:32.237 回答
2

您需要使用Get-EventLogcmdlet 的ComputerName参数:

Get-EventLog -ComputerName $Computer System -Source Microsoft-Windows-Winlogon `
    | select $UserProperty,$TypeProperty,$TimeProeprty

$TimeProeprty此外,您的变量中似乎有错字。

于 2012-08-01T16:30:59.660 回答
2

有点修改和它的工作

# Specify the location you want the report to be saved
$filelocation = "C:\report.csv"

[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 
[string]$Computer = [Microsoft.VisualBasic.Interaction]::InputBox("Enter     ComputerName", "Computer Name", "Computer Name")
[int]$DayPrompt = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Number of Days to     check", "Days to Check", "15")
$Days = $DayPrompt
cls

$Result = @()
Write-Host "Gathering Event Logs, this can take awhile..."
$ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-    $Days) -ComputerName $Computer
If ($ELogs)
{ Write-Host "Processing..."
ForEach ($Log in $ELogs)
{ If ($Log.InstanceId -eq 7001)
{ $ET = "Logon"
}
ElseIf ($Log.InstanceId -eq 7002)
{ $ET = "Logoff"
}
Else
{ Continue
}
$Result += New-Object PSObject -Property @{
Time = $Log.TimeWritten
'Event Type' = $ET
User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
$Result | Select Time,"Event Type",User | Sort Time -Descending | Export-CSV $filelocation
Write-Host "Done look at $filelocation"
}
Else
{ Write-Host "Problem with $Computer."
Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
}
于 2016-05-01T09:12:44.467 回答
1

您没有将计算机名称传递给循环中的任何命令。因此,它只是针对 $computerName 中的许多对象循环执行相同的命令尝试将最后一行更改为:

 Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty

如果这不起作用,请确保您的 foreach 循环正在传递正确的数据:

$computerName | Foreach-Object{Write-Host $_}

这应该显示您尝试在其上运行的每台机器的计算机名称。

但看起来你正试图在一台计算机上运行它,所以删除 Foreach 循环并-ComputerName $computername在你的 select 语句之前添加到 Get-Eventlog 命令的末尾

于 2012-08-01T16:30:36.007 回答
1

基于https://gallery.technet.microsoft.com/Log-Parser-to-Identify-8aac36bd

Get-Eventlog -LogName Security | where {$_.EventId -eq "4624"} | select-object @{Name="User"
;Expression={$_.ReplacementStrings[5]}} | sort-object User -unique

您可以从 ReplacementStrings 获取其他信息。您还可以在 Get-Eventlog 命令中指定远程计算机。

于 2016-07-27T20:29:10.213 回答
-1 
# Specify the location you want the report to be saved
$filelocation = "C:\Path\report.csv"

[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 
[string]$Computer = [Microsoft.VisualBasic.Interaction]::InputBox("Enter     ComputerName", "Computer Name", "Computer Name")
[int]$DayPrompt = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Number of Days to     check", "Days to Check", "15")
$Days = $DayPrompt
cls

$Result = @()
Write-Host "Gathering Event Logs, this can take awhile..."
$ELogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-    $Days) -ComputerName $Computer
If ($ELogs)
{ Write-Host "Processing..."
ForEach ($Log in $ELogs)
{ If ($Log.InstanceId -eq 7001)
{ $ET = "Logon"
}
ElseIf ($Log.InstanceId -eq 7002)
{ $ET = "Logoff"
}
Else
{ Continue
}
$Result += New-Object PSObject -Property @{
Time = $Log.TimeWritten
'Event Type' = $ET
User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
$Result | Select Time,"Event Type",User | Sort Time -Descending | Export-CSV $filelocation -  TypeInformation
Write-Host "Done."
}
Else
{ Write-Host "Problem with $Computer."
Write-Host "If you see a 'Network Path not found' error, try starting the Remote Registry service on that computer."
Write-Host "Or there are no logon/logoff events (XP requires auditing be turned on)"
}
于 2014-11-17T20:07:35.183 回答