Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs

This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer Accounts are retrieved. You can

 
 
 
 
 
4.2 Star
(20)
47,289 times
Add to favorites
Active Directory
5/10/2017
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • The term 'Resolve-dnsname' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    3 Posts | Last post August 12, 2019
    • Hello all. 
      
      I am trying to execute this script on Windows Server 2008 R2, but I get the following (error) message: 
      
      The term 'Resolve-dnsname' is not recognized as the name of a cmdlet, function,
       script file, or operable program. Check the spelling of the name, or if a path
       was included, verify that the path is correct and try again.
          + CategoryInfo          : ObjectNotFound: (Resolve-dnsname:String) [], Com 
         mandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
          + PSComputerName        : localhost
      
      What can I do to run the script correctly?
    • After some searching on the internet, I found the following workaround. Instead of using: 
      
      Resolve-dnsname $_."IP Address" 
      
      You can make use of: 
      
      [System.Net.Dns]::GetHostEntry('<hostname_or_ip_address>')
    • Hi, I'm in same problem.
      But, I can't how to type ('<hostname_or_ip_address>') part.
      Please let me your advice
      
      I typed that part as below :
      Resolve-dnsname $_."IP Address" to [System.Net.Dns]::GetHostEntry('<hostname_or_ip_address>')
      
      then, I ran this script as Bypass function.
      
      PS> powershell.exe -ExecutionPolicy Bypass -File .\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -La
      stLogonOnly -OuOnly
      
      Here's the result.
      ---------------------------------------------------------------------------------------------------------------
      The term 'Get-ADDomainController' is not recognized as the name of a cmdlet, function, script file, or operable program
      . Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At C:\Users\_adm_J.Choi\Get_AD_Users_Logon_History.ps1:137 char:45
      + $DomainControllers = (Get-ADDomainController <<<<  -Filter  { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $fals
      e}).Name
          + CategoryInfo          : ObjectNotFound: (Get-ADDomainController:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
      
      Invoke-Command : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Supply an argumen
      t that is not null or empty and then try the command again.
      At C:\Users\_adm_J.Choi\Get_AD_Users_Logon_History.ps1:146 char:43
      +     $RemoteJob+= Invoke-Command -ComputerName <<<<  $_ -ScriptBlock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain
       -AsJob
          + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
      -----------------------------------------------------------------------------------------------------------------
      
      I'm newbie, but really need this script. please help.
  • I am unable to fetch logged on host names.
    1 Posts | Last post July 31, 2019
    • Authenticated DC     LoggedOn Time       User          User Location                                              Workstatio
      ----------------     -------------       ----          -------------                                              ----------
      UHFADC.ummeedhfc.com 31-07-2019 16:05:02 Administrator Users/Administrator                                        UHFADC
      UHFADC.ummeedhfc.com 31-07-2019 16:02:26 Administrator Users/Administrator                                        UHFADC
      UHFADC.ummeedhfc.com 31-07-2019 16:01:21 UHF0489       UHFC Users/Head Office Users/Jenifer Joseph                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 16:01:18 Administrator Users/Administrator                                        UHFADC
      UHFAD.ummeedhfc.com  31-07-2019 16:01:12 UHF0278       UHFC Users/Head Office Users/Chandan Kumar                 NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 16:01:02 UHF0140       UHFC Users/Head Office Users/Suman Das                     NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 16:01:02 UHF0140       UHFC Users/Head Office Users/Suman Das                     NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 16:00:16 UHF0489       UHFC Users/Head Office Users/Jenifer Joseph                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 15:59:49 UHF0166       UHFC Users/Head Office Users/Anand Akshay                  NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 15:58:51 UHF0076       UHFC Users/Head Office Users/Shailja Singla                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 15:58:39 UHF0383       UHFC Users/Head Office Users/Amit Kumar                    NOT FOUND
  • I do not get the computer information
    1 Posts | Last post July 24, 2019
    • 1st, the script is beautiful, I loved it.
      
      Upon execution I don't get all the fields you was showing in the example, I only get:
      
      Authenticated DC
      LoggedOn Time (includes time and date)
      User
      
      The information I am required to provide is the last computer users logged on to.
      
      Any help understanding what is still to be done would be greatly appreciated.
      
      Regards,
      Renato Alvares
  • Export Csv
    3 Posts | Last post June 06, 2019
    • How can i export it to CSV ? thanks 
      
    • yes i think you can
    • In the PowerShell (PS) console execute the following command from the path where you put the PS script in: 
      
      .\Get_AD_Users_Logon_History.ps1 2>&1  | tee -FileP
      ath <output_path>\output.csv
      
      This gives an export of both output and error.
  • How do I export to .csv
    2 Posts | Last post May 14, 2019
    • Hey, it looks like this script will do what my boss wants.  I just need to figure out how to export to a .csv file.  I'm not a coder, just a simple IT guy.  Would really appreciate the help. Thanks
    • .\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly | Export-Csv Users_Loggedon_History.csv
  • How to Add timeframe?
    1 Posts | Last post March 02, 2019
    • I want to know that can I add timeframe?
  • run error
    3 Posts | Last post February 19, 2019
    • File C:\Users\administrator\Desktop\Get_AD_Users_Logon_History.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.
      At line:1 char:33
      + .\Get_AD_Users_Logon_History.ps1 <<<<  -MaxEvent 5000 -LastLogonOnly -OuOnly | ft * -autosize
          + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
          + FullyQualifiedErrorId : RuntimeException
      
    • Run the Command "set-executionpolicy unrestricted" without quote to enable the scripting. 
    • do not run "set-executionpolicy unrestrictred" if you are running this direct on a domain controller.
  • Add timeframe?
    4 Posts | Last post February 12, 2019
    • Is it possible to add a timeframe, for example, show all events in the past 24 hours?
      Many thanks
      
    • following
    • +1
    • +2
  • Be aware: this is for englisch environments...
    1 Posts | Last post December 21, 2018
    • This one is for english spoken Environments. Alter the script to your language by at least set the values of User and IP Adress in $EventInfo .....otherwise you'll receive "Argument/Parameters/Null" Errors...
  • Error Get- ADdomain Controller
    1 Posts | Last post December 12, 2018
    • Get-ADDomainController : Directory object not found
      At C:\Users\xxxxxxxx\Desktop\Last logged on.ps1:127 char:23
      + $DomainControllers = (Get-ADDomainController -Filter  { isGlobalCatalog -eq $tru ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
          + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
         icrosoft.ActiveDirectory.Management.Commands.GetADDomainController
      
      Invoke-Command : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Provide an
      argument that is not null or empty, and then try the command again.
      At C:\Users\XXXXXXX\Desktop\Last logged on.ps1:136 char:44
      +     $RemoteJob+= Invoke-Command -ComputerName $_ -ScriptBlock $read_log -ArgumentLi ...
      +                                               ~~
          + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
      
1 - 10 of 17 Items