PowerShell script for finding AD user last log on times via RDP to a TS cluster

Viewing 3 reply threads
  • Author
    • #1557588
      Peter Line
      Member Points: 321
      Rank: 2


      I’ve been tasked with checking a specific AD user account for it’s last logged on times over past 30 days into a TS cluster of three terminal servers.  I’ve tried trawling multiple event logs and filtering but every time the specific user filter is applied, the results come back with zero.

      Is there a PowerShell script that could be slightly adjusted with the required details to find what I am after?


    • #1557590
      Michael Pietroforte
      Member Points: 41,075
      Author of the year 2018
      Rank: 4

      Maybe you can find here what you need. But I guess if you can’t find the user account in the event log and you are sure that the user logged on, something with your search went wrong. Try to login with your own account and see if you can find this account. That way you can confirm that your filter works.

    • #1557616
      David Figueroa
      Member Points: 5,164
      Rank: 3

      If your security logs go back far enough and your RDS is new enough, you should be able to scour the Security Eventlogs of those RDS servers looking for Remote Interactive logins (I believe it’s type 11).  However, the security logs rarely go back 30 full days.  If your DC logs go back far enough you *might* be able to find the authentication records for them.  But, going that far back is tough.

      If this is going to be repeat operation, then the absolute best thing to do is to configure a tiny vbscript that will store the username & timestamp of the user logins to a central record for the servers.  I wrote a blog article on this subject years ago that still gets 200-300 views a month.  https://davidrfigueroa.wordpress.com/2013/12/01/usrlogon-cmd-processing/

      David F.

    • #1557657
      Member Points: 0
      Rank: 1

      I am curious to know, what command have you tried on the TS Cluster?
      If you put your username, do you get some results?

Viewing 3 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account