獲取所有域使用者的登陸歷史資訊指令碼
This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request
Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer
Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are
used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for
TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
You can Define the following parameters to suite your need:
-MaxEvent Specify the number of all (4768) events to search for TGT Requests. Default is 1000.
-LastLogonOnly Display only the history of last logon users.
-OuOnly Do not display the full path of users/computers. Only OU is displayed.
Author: phyoepaing3.142@gmail.com
Country: Myanmar(Burma)
Released Date: 08/29/2016
Example usage:
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly
Example usage:
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly
EXAMPLE
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 500 -LastLogonOnly -OuOnly
This command will retrieve AD users logon within 500 EventID-4768 events and show only the last logged users with their
related logged on computers. Only OU name is displayed in results.
EXAMPLE
.\Get_AD_Users_Logon_History.ps1 | Export-Csv Users_Loggedon_History.csv
This command will retrieve AD users logon within default 1000 EventID-4768 events and export the result to CSV file.
Fig-1: Showing Last Logon History with Users and Computer Accounts
Fig-2: Get All Users Logon History
Get_AD_Users_Logon_History.ps1程式碼:
<#
.SYNOPSIS
Script that will list the logon information of AD users.
.DESCRIPTION
This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request
Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer
Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are
used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for
TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
You can Define the following parameters to suite your need:
-MaxEvent Specify the number of all (4768) events to search for TGT Requests. Default is 1000.
-LastLogonOnly Display only the history of last logon users.
-OuOnly Do not display the full path of users/computers. Only OU is displayed.
Author: phyoepaing3.142@gmail.com
Country: Myanmar(Burma)
Released Date: 08/29/2016
Example usage:
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 800 -LastLogonOnly -OuOnly
.EXAMPLE
.\Get_AD_Users_Logon_History.ps1 | Format-Table * -Auto
This command will retrieve AD users logon within default 1000 EventID-4768 events and display the results as table.
.EXAMPLE
.\Get_AD_Users_Logon_History.ps1 -MaxEvent 500 -LastLogonOnly -OuOnly
This command will retrieve AD users logon within 500 EventID-4768 events and show only the last logged users with their
related logged on computers. Only OU name is displayed in results.
.EXAMPLE
.\Get_AD_Users_Logon_History.ps1 | Export-Csv Users_Loggedon_History.csv
This command will retrieve AD users logon within default 1000 EventID-4768 events and export the result to CSV file.
.PARAMETER MaxEvent
This paraemeter will specify the number of EventID-4768 events to look for.
.PARAMETER LastLogonOnly
This paraemeter will display the history of last logged on users in descending order.
.PARAMETER OuOnly
This paraemeter will show only the OU names for users/computers but not the full path.
.LINK
You can find this script and more at: https://www.sysadminplus.blogspot.com/
#>
param( [switch]$LastLogonOnly,[switch]$OuOnly,[int]$MaxEvent=1000)
############## Find EventID 4768 with user's requesting Kerberos TGT, skipping Exchange Health Mailbox request and extracting Users/Client names,IP Addresses ####
$Domain = (Get-WmiObject Win32_Computersystem).domain
$read_log={
Param ($MaxEvent,$OuOnly,$Domain) ## Define parameter to pass maxevent to scripblock
$EventInfo=Get-WinEvent -FilterHashTable @{LogName="Security";ID=4768} -MaxEvents 200000 | select -first $MaxEvent | where {$_.Message -notmatch "SM_" } | where { $_.Message -notmatch "\$" } |
select @{N="Authenticated DC";Exp={$_.MachineName}},
@{N="LoggedOn Time";Exp={$_.TimeCreated}},
@{N="User"; Exp={ $SplitAccountName=(($_.Message -Split "\n") -match "Account Name") -split ':';$SplitAccountName[$SplitAccountName.Length-1].Trim() }},
@{N="User Location";Exp={}}, @{N="Workstation";Exp={}},
@{N="IP Address"; Exp={if((($_.Message -split "\n") -match "Client Address:").Trim() -match "::1" ) {"localhost"}
else { $SplitClientAddress=(($_.Message -Split "\n") -match "Client Address") -split ':'; $splitClientAddress[$splitClientAddress.Length-1].Trim() }}},
@{N="Computer Location";Exp={}}
$EventInfo | foreach {
$IPAddress=$_."Client Address"
if ($_."IP Address" -eq "localhost")
{ $Client_Name=[system.net.dns]::GetHostbyName($env:computername).hostname }
else
{
###### Resolve the PTR record to find AD computer information ################
#$Client_Name=(Resolve-DnsName $_."IP Address").NameHost
if ((Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly -ErrorAction "SilentlyContinue").Type -eq "PTR")
{
$Client_Name = (Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly).NameHost
}
else
{ $Client_Name = "NOT FOUND" }
}
## $_."Authenticated DC"=($_."Authenticated DC" -split "."+$Domain)[0] ##Uncomment this line if you want to strip off domain name in "Authenticated DC" list
$user=$_.user
############# Find the User account in AD and if not found, throw and exception ###########
$Full_User_Property=0
Try ## Need Try statement to test and surpress error
{
$Full_User_Property = (Get-AdUser $_.user -Properties *)
$_."User Location" = $Full_User_Property.CanonicalName.TrimStart($Domain).SubString(1)
}
catch
{ } ## The $_."User Location" is not passed to catch statement thus needing another below statement to set value"
If (!$Full_User_Property)
{ $_."User Location"="NOT FOUND" }
$Full_User_Property=0
If($OuOnly -AND ($_."User Location" -ne "NOT FOUND"))
{
$_."User Location"= $_."User Location".Remove($_."User Location".LastIndexOf("/")) ##Trim the last user name part if -OuOnly flag is set
}
$_."Workstation"=($Client_Name -split "."+$Domain)[0] ## remove the domain suffix
########## Find the Computer account in AD and if not found, throw an exception ###########
$Full_Workstation_Property = 0
Try
{
$Full_Workstation_Property = Get-AdComputer $_."Workstation" -Properties *
$_."Computer Location"= $Full_Workstation_Property.CanonicalName.TrimStart($Domain).SubString(1)
}
catch
{ }
########## Here the catch exception does not work in Invoke session so we need to manually set the "NOT FOUND" value ######
If (!$Full_Workstation_Property)
{ $_."Computer Location" = "NOT FOUND"}
$Full_Workstation_Property=0
If ($OuOnly -AND ($_."Computer Location" -ne "NOT FOUND")) ##Trim the last computer part if -OuOnly flag is set
{
$_."Computer Location"=$_."Computer Location".Remove($_."Computer Location".LastIndexOf("/"))
}
Return $_
}
}
########### Job starts to query replica domain controllers #############
$result=@()
$RemoteJob=@() ## Make array of remote jobs
$DomainControllers = (Get-ADDomainController -Filter { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $false}).Name
############### Start the Local Job and Remote Job to find the event id ################
$LocalJobExists=0
If ($DomainControllers -contains $(hostname)) ## Check if the computer running the script is Domain Controller itself
{
$LocalJob = Start-Job -scriptblock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain;$LocalJobExists=1 ## If so, start job to query local domain controller
}
$DomainControllers | where {$_ -ne $(hostname)} | foreach { ## Start remote jobs on each other domain controllers
$RemoteJob+= Invoke-Command -ComputerName $_ -ScriptBlock $read_log -ArgumentList $MaxEvent,$OuOnly,$Domain -AsJob
}
If ($LocalJobExists)
{
$result = $LocalJob | Wait-Job | Receive-Job; Remove-Job $LocalJob ## If the computer running the script is not a domain controller(may be RSAT installed), then all jobs will be remote jobs
}
$RemoteJob | foreach { $result+=$_ | Wait-Job | Receive-Job ; Remove-Job $_} ## Wait and Receive remote jobs on each remote DCs and add to Local job result
If ($LastLogonOnly)
{
$result | Sort-Object "LoggedOn Time" -Descending | Group-Object User | foreach { $_ | Select -ExpandProperty Group | select * -First 1 -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName } ## the Last LoggedOn time of Each User
}
else
{
$result | Sort-Object "LoggedOn Time" -Descending | Select * -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName ## Normal Results
}
已在以下平臺上進行驗證
相關文章
- vpn登陸指令碼指令碼
- shell指令碼自動記錄登入使用者ip和歷史命令指令碼
- 在Java中獲取Android端登陸的裝置資訊JavaAndroid
- oracle登陸限制指令碼Oracle指令碼
- 淘寶API系列:淘寶/天貓獲取商品歷史價格資訊API
- Ubuntu 14.04 更新 Nautilus 和加入登陸歷史Ubuntu
- Python 指令碼之獲取CPU資訊Python指令碼
- oracle登陸設定指令碼Oracle指令碼
- 【DataGuarad】獲取standby 庫的配置資訊的指令碼指令碼
- 獲取top N cpu pid的sql資訊指令碼SQL指令碼
- 根據微信code獲取換取使用者登入態資訊
- securt crt 自動登陸指令碼指令碼
- 微信小程式授權登入獲取使用者資訊微信小程式
- vbs指令碼獲取Am註冊路徑資訊指令碼
- 獲取linux伺服器基本資訊指令碼Linux伺服器指令碼
- 資料庫會話記錄使用者登陸的密碼資訊資料庫會話密碼
- 在非同步方法中獲取登陸使用者時出現的問題非同步
- Spring Security - 獲取當前登入使用者的詳細資訊Spring
- 登陸了系統,但有些時候獲取不到使用者名稱
- 點贊功能模組-獲取使用者詳情與點贊過的歷史文章
- python 獲取excel資料 自動登陸PythonExcel
- 微信小程式維護登入態與獲取使用者資訊微信小程式
- 刪除公司程式碼級別下所有FI操作和資產歷史折舊資訊
- oracle獲取ddl指令碼Oracle指令碼
- ThinkPHP5-微信小程式獲取使用者授權登入資訊PHP微信小程式
- 歷史上的今天獲取介面程式碼
- 新使用者首次登陸修改密碼密碼
- App 第三方登入獲取使用者資訊 支付寶登入後端程式碼參考APP後端
- 按 F12獲取登陸資料,一鍵登陸巴西衛生部資料庫資料庫
- SSH安全登陸原理:密碼登陸與公鑰登陸密碼
- 批次過程獲取指令碼指令碼
- 【HIVE】hive 使用shell指令碼跑歷史資料Hive指令碼
- DBMS_METADATA.GET_DDL獲取使用者ddl指令碼指令碼
- 使用者登陸驗證資訊的資料結構設計資料結構
- 微信小程式 獲取使用者資訊微信小程式
- Linux使用者密碼後不能登陸(回到原登陸狀態)問題Linux密碼
- 見過最全的獲取資料庫資訊的指令碼--生成html的報告資料庫指令碼HTML
- Solaris10所有使用者無法登陸CDE及JAVA介面Java