我一直在编写一个脚本来显示已登录到其终端服务器的每个用户的最后一次登录。
如果脚本不在域上,但是当它们在域上时,它将显示未登录到该特定服务器的用户。
我有没有办法将脚本编辑到只显示已登录该特定服务器的用户的位置?
以下是代码:
#This script will check which users have logged on in the last X days
#Set Variables
#Change the number in the parenthesis after adddays to change how far back
to filter
#example (get-date).adddays(-30) gets all logins for the last 30 days from
today (-60) would be the last 60 days
$AuditDate = Get-Date (get-date).adddays(-30) -format "MM/dd/yyyy h:mm:ss
tt"
$ComputerName = $env:COMPUTERNAME
$CurrentDate = Get-Date -UFormat "%Y-%m-%d"
#Delete any previously created files
Get-ChildItem -Path "C:\PowerShellScripts\LastLogon\Results" -Recurse |
Where-Object CreationTime -lt (Get-Date).AddDays(-0) | Remove-Item -
ErrorAction SilentlyContinue
#The Login Profile is filtered here
Get-WmiObject -class Win32_NetworkLoginProfile -ComputerName $ComputerName|
#Where-Object -FilterScript {$_.LogonServer -like $ComputerName}|
Where-Object -FilterScript {$_.FullName -notlike "*Agvance*"} |
Where-Object -FilterScript {$_.FullName -notlike "*Sophos*"} |
Where-Object -FilterScript {$_.FullName -ne "AgvAdmin"} |
Where-Object -FilterScript {$_.FullName -ne ""} |
Where-Object {$_.Name -notlike "*ssi1*"}|
Where-Object {$_.Name -notlike "*ssi2*"}|
Where-Object {$_.Name -notlike "*ssi3*"}|
Where-Object {$_.Name -notlike "*ssi4*"}|
Where-Object {$_.Name -notlike "*ssi5*"}|
Where-Object {$_.Name -notlike "*ssi6*"}|
Where-Object {$_.Name -notlike "*ssi7*"}|
Where-Object {$_.Name -notlike "*ssi8*"}|
Where-Object {$_.Name -notlike "*ssi9*"}|
Where-Object {$_.Name -notlike "*ssiadmin*"}|
Where-Object -FilterScript {$_.Name -notlike "*SYSTEM*"} |
Where-Object -FilterScript {$_.Name -notlike "*SERVICE*"} |
Where-Object -FilterScript {!
[System.String]::IsNullOrWhiteSpace($_.LastLogon)} |
Where-Object -FilterScript {$_.ConvertToDateTime($_.LastLogon) -ge
$AuditDate} |
Select-Object Name,LogonServer,@{label='LastLogon';expression=
{$_.ConvertToDateTime($_.LastLogon)}} -ErrorAction SilentlyContinue | sort-
object Name | Export-Csv
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation
#Extra filter to filter out SSI users
#Import-Csv C:\PowerShellScripts\Results\LastLogon.csv | Where-Object
{$_.Name -notlike "*ssi*"} |Export-Csv
C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NoTypeInformation -Force
#The user count is created here
$number = (Import-Csv C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv |
measure | % { $_.Count})
#The file is renamed to include computername, date, and user count
rename-item -path C:\PowerShellScripts\Lastlogon\Results\LastLogon.csv -NewName C:\PowerShellScripts\Lastlogon\Results\LastLogon-$ComputerName-$CurrentDate-UserCount-$number.csv
答案 0 :(得分:0)
您可以尝试一下,看看它是否能满足您的需求。
$time = (Get-Date) – (New-TimeSpan -Day 30)
# You can additional filters in ? { $_.Properties[1].Value -ne 'SYSTEM' } by
# modifying it with -and statements
# i.e. ? { ($_.Properties[1].Value -ne 'SYSTEM') -and ($_.Properties[1].Value -ne 'USER')}
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672;starttime=$time} -ComputerName $ComputerName | ? { $_.Properties[1].Value -ne 'SYSTEM' } | select @{N='User';E={$_.Properties[1].Value}}, @{N='TimeCreated';E={$_.TimeCreated}}