Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs

This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer Accounts are retrieved. You can

 
 
 
 
 
4.3 Star
(24)
58,527 times
Add to favorites
Active Directory
5/10/2017
E-mail Twitter del.icio.us Digg Facebook
  • error running the script
    1 Posts | Last post March 07, 2020
    • Apologies in advance if this seems like a basic question; i have an AD server with adfs to office 365. When i run this scrip in powershell ise (as administrator)
      
       Connecting to remote server  failed with the following error message : The WinRM client sent a 
      request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support 
      the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic.
          + CategoryInfo          : OpenError: (:String) [], PSRemotingTransportException
          + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBroken
      [] Connecting to remote server  failed with the following error message : The WinRM client sent a 
      request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support 
      the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic.
          + CategoryInfo          : OpenError: (:String) [], PSRemotingTransportException
          + FullyQualifiedErrorId : URLNotAvailable,PSSessionStateBroken 
      
      
      would appreciate any guidance on the same
      
      Many thanks in advance
      
  • NOt working Script Correctly
    1 Posts | Last post January 08, 2020
    • I am running DC on Windows Server 2016 Standard , and in my DC's Security event viewer i am not able to find 4768 Event ID Logs . While i checked same information  is being logged with name '4624' Event ID .
      
      I replaced '4768' to '4624' Event ID  in the script , still this is not working 
      
      Below Error i am getting on powershell after script execution.It is finding some useful information while missing some info like IP Address..
      
       
      
      
      
      Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument 
      that is not null or empty, and then try the command again.
          + CategoryInfo          : InvalidData: (:) [Resolve-DnsName], ParameterBindingValidationExcep 
         tion
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.DnsClient.Commands.Resol 
         veDnsName
          + PSComputerName        : localhost
       
      Authenticated DC  : WIN-61UCL0OR236.ram.local
      LoggedOn Time     : 1/6/2020 11:37:12 AM
      User              : durgesh
      User Location     : Users/durgesh
      Workstation       : 
      IP Address        : 
      Computer Location : NOT FOUND
      
      
      
      Please check the above error and suggest for same. Thank You.
      
      Deepraj Gupta
      Email ID :deeprajgupta12@gmail.com
      
      
  • Added display names
    1 Posts | Last post December 30, 2019
    • I have added the retrieval of the display names to the script.
      $list = get-content -Path C:\Tools\Server_Specific\logons$day.txt | Select-Object -Skip 3
      $output =foreach ( $line in $list )
      { $userid = $line.substring(34).trim()
        (get-aduser -Identity $userid -Properties *).displayname 
       
      } $output | out-file C:\Tools\Server_Specific\logons$day.txt -Append
      
  • German version with fixes 2019/11
    1 Posts | Last post November 25, 2019
    • See https://pastebin.com/GjmJWqfA
      
      - Fixed wrong DNS column if resolve failed taking over last entry's result
      - Note the translated event result rows (German), replace to english strings if desired.
      
  • The term 'Resolve-dnsname' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    3 Posts | Last post August 12, 2019
    • Hello all. 
      
      I am trying to execute this script on Windows Server 2008 R2, but I get the following (error) message: 
      
      The term 'Resolve-dnsname' is not recognized as the name of a cmdlet, function,
       script file, or operable program. Check the spelling of the name, or if a path
       was included, verify that the path is correct and try again.
          + CategoryInfo          : ObjectNotFound: (Resolve-dnsname:String) [], Com 
         mandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
          + PSComputerName        : localhost
      
      What can I do to run the script correctly?
    • After some searching on the internet, I found the following workaround. Instead of using: 
      
      Resolve-dnsname $_."IP Address" 
      
      You can make use of: 
      
      [System.Net.Dns]::GetHostEntry('<hostname_or_ip_address>')
    • Hi, I'm in same problem.
      But, I can't how to type ('<hostname_or_ip_address>') part.
      Please let me your advice
      
      I typed that part as below :
      Resolve-dnsname $_."IP Address" to [System.Net.Dns]::GetHostEntry('<hostname_or_ip_address>')
      
      then, I ran this script as Bypass function.
      
      PS> powershell.exe -ExecutionPolicy Bypass -File .\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -La
      stLogonOnly -OuOnly
      
      Here's the result.
      ---------------------------------------------------------------------------------------------------------------
      The term 'Get-ADDomainController' is not recognized as the name of a cmdlet, function, script file, or operable program
      . Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
      At C:\Users\_adm_J.Choi\Get_AD_Users_Logon_History.ps1:137 char:45
      + $DomainControllers = (Get-ADDomainController <<<<  -Filter  { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $fals
      e}).Name
          + CategoryInfo          : ObjectNotFound: (Get-ADDomainController:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
      
      Invoke-Command : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Supply an argumen
      t that is not null or empty and then try the command again.
      At C:\Users\_adm_J.Choi\Get_AD_Users_Logon_History.ps1:146 char:43
      +     $RemoteJob+= Invoke-Command -ComputerName <<<<  $_ -ScriptBlock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain
       -AsJob
          + CategoryInfo          : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
      -----------------------------------------------------------------------------------------------------------------
      
      I'm newbie, but really need this script. please help.
  • I am unable to fetch logged on host names.
    1 Posts | Last post July 31, 2019
    • Authenticated DC     LoggedOn Time       User          User Location                                              Workstatio
      ----------------     -------------       ----          -------------                                              ----------
      UHFADC.ummeedhfc.com 31-07-2019 16:05:02 Administrator Users/Administrator                                        UHFADC
      UHFADC.ummeedhfc.com 31-07-2019 16:02:26 Administrator Users/Administrator                                        UHFADC
      UHFADC.ummeedhfc.com 31-07-2019 16:01:21 UHF0489       UHFC Users/Head Office Users/Jenifer Joseph                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 16:01:18 Administrator Users/Administrator                                        UHFADC
      UHFAD.ummeedhfc.com  31-07-2019 16:01:12 UHF0278       UHFC Users/Head Office Users/Chandan Kumar                 NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 16:01:02 UHF0140       UHFC Users/Head Office Users/Suman Das                     NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 16:01:02 UHF0140       UHFC Users/Head Office Users/Suman Das                     NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 16:00:16 UHF0489       UHFC Users/Head Office Users/Jenifer Joseph                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 15:59:49 UHF0166       UHFC Users/Head Office Users/Anand Akshay                  NOT FOUND
      UHFAD.ummeedhfc.com  31-07-2019 15:58:51 UHF0076       UHFC Users/Head Office Users/Shailja Singla                NOT FOUND
      UHFADC.ummeedhfc.com 31-07-2019 15:58:39 UHF0383       UHFC Users/Head Office Users/Amit Kumar                    NOT FOUND
  • I do not get the computer information
    1 Posts | Last post July 24, 2019
    • 1st, the script is beautiful, I loved it.
      
      Upon execution I don't get all the fields you was showing in the example, I only get:
      
      Authenticated DC
      LoggedOn Time (includes time and date)
      User
      
      The information I am required to provide is the last computer users logged on to.
      
      Any help understanding what is still to be done would be greatly appreciated.
      
      Regards,
      Renato Alvares
  • Export Csv
    3 Posts | Last post June 06, 2019
    • How can i export it to CSV ? thanks 
      
    • yes i think you can
    • In the PowerShell (PS) console execute the following command from the path where you put the PS script in: 
      
      .\Get_AD_Users_Logon_History.ps1 2>&1  | tee -FileP
      ath <output_path>\output.csv
      
      This gives an export of both output and error.
  • How do I export to .csv
    2 Posts | Last post May 14, 2019
    • Hey, it looks like this script will do what my boss wants.  I just need to figure out how to export to a .csv file.  I'm not a coder, just a simple IT guy.  Would really appreciate the help. Thanks
    • .\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly | Export-Csv Users_Loggedon_History.csv
  • How to Add timeframe?
    1 Posts | Last post March 02, 2019
    • I want to know that can I add timeframe?
1 - 10 of 21 Items