Recently I had the need to get a list of successful logins for a group of users, across all domain workstations. The best way is to interrogate the Security Event Log on each Domain Controller. Here is a PowerShell script that does just that.
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Define filename, will save to your desktop
$filename = “exported_successful_logins.csv”
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
$slogonevents = [System.Collections.ArrayList]@()
foreach ($DC in $DCs)
{
Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate -EntryType SuccessAudit -instanceid 4624 |
Where-Object {($_.Message -NotLike “*S-1-0-0*”) -and ($_.Message -NotLike “*DWM*”) -and ($_.Message -NotLike “*UMFD*”)} |
% {$slogonevents.Add($_)} | Out-Null
}
$collection = $null
$collection = [System.Collections.ArrayList]@()
# Crawl through events with type, date/time, status, account name, computer and IP address if user logged on remotely
foreach ($e in $slogonevents)
{
$item = $null
# Logon Successful Events # Local (Logon Type 2)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2))
{
$item = New-Object -TypeName PSCustomObject
$item | Add-Member -MemberType NoteProperty -Name “Type” -Value “Local”
}
# Remote (Logon Type 10)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10))
{
$item = New-Object -TypeName PSCustomObject
$item | Add-Member -MemberType NoteProperty -Name “Type” -Value “Remote”
}
IF(($e.ReplacementStrings[8] -eq 2) -or ($e.ReplacementStrings[8] -eq 10))
{
$item | Add-Member -MemberType NoteProperty -Name “Date” -Value $e.TimeGenerated
$item | Add-Member -MemberType NoteProperty -Name “User” -Value $e.ReplacementStrings[5]
$item | Add-Member -MemberType NoteProperty -Name “Workstation” -Value $e.ReplacementStrings[11]
$collection.Add($item) | Out-Null
}
}