PowerShell script for finding AD user last log on times via RDP to a TS cluster

Viewing 3 reply threads
  • Author
    Posts
    • #1557588
      Peter Line
      Participant
      Member Points: 321
      Rank: 2

      Hi,

      I’ve been tasked with checking a specific AD user account for it’s last logged on times over past 30 days into a TS cluster of three terminal servers.  I’ve tried trawling multiple event logs and filtering but every time the specific user filter is applied, the results come back with zero.

      Is there a PowerShell script that could be slightly adjusted with the required details to find what I am after?

      Thanks!

      • This topic was modified 1 year, 3 months ago by Peter Line.
      avatar
    • #1557590
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      Maybe you can find here what you need. But I guess if you can’t find the user account in the event log and you are sure that the user logged on, something with your search went wrong. Try to login with your own account and see if you can find this account. That way you can confirm that your filter works.

    • #1557616
      David Figueroa
      Participant
      Member Points: 4,096
      Rank: 3

      If your security logs go back far enough and your RDS is new enough, you should be able to scour the Security Eventlogs of those RDS servers looking for Remote Interactive logins (I believe it’s type 11).  However, the security logs rarely go back 30 full days.  If your DC logs go back far enough you *might* be able to find the authentication records for them.  But, going that far back is tough.

      If this is going to be repeat operation, then the absolute best thing to do is to configure a tiny vbscript that will store the username & timestamp of the user logins to a central record for the servers.  I wrote a blog article on this subject years ago that still gets 200-300 views a month.  https://davidrfigueroa.wordpress.com/2013/12/01/usrlogon-cmd-processing/

      David F.

    • #1557657
      Steven
      Participant
      Member Points: 1,114
      Rank: 3

      I am curious to know, what command have you tried on the TS Cluster?
      If you put your username, do you get some results?

Viewing 3 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account