PowerShell

[Peter Line]

Hi,

I’ve been tasked with checking a specific AD user account for it’s last logged on times over past 30 days into a TS cluster of three terminal servers.  I’ve tried trawling multiple event logs and filtering but every time the specific user filter is applied, the results come back with zero.

Is there a PowerShell script that could be slightly adjusted with the required details to find what I am after?

Thanks!

[Michael Pietroforte]

Maybe you can find here what you need. But I guess if you can’t find the user account in the event log and you are sure that the user logged on, something with your search went wrong. Try to login with your own account and see if you can find this account. That way you can confirm that your filter works.

[David Figueroa]

If your security logs go back far enough and your RDS is new enough, you should be able to scour the Security Eventlogs of those RDS servers looking for Remote Interactive logins (I believe it’s type 11).  However, the security logs rarely go back 30 full days.  If your DC logs go back far enough you *might* be able to find the authentication records for them.  But, going that far back is tough.

If this is going to be repeat operation, then the absolute best thing to do is to configure a tiny vbscript that will store the username & timestamp of the user logins to a central record for the servers.  I wrote a blog article on this subject years ago that still gets 200-300 views a month.  https://davidrfigueroa.wordpress.com/2013/12/01/usrlogon-cmd-processing/

David F.

[Anonymous]

I am curious to know, what command have you tried on the TS Cluster?
If you put your username, do you get some results?

[Author]

Posts