Pulling logon and logoff instormation from AD

michaelcoulter · 2024-01-02T15:29:59.000Z

I have a script that looks for through the Security Events 4624 and 4634 for a single user.

It runs without any problem however it isn’t showing it as logon or Logoff event.

Is there any way of adding the Event ID to the end of the “write-host” relating to it’s ID in the Security Event Log?

The PowerShell script which runs without any issue can be seen below

a username, whose logon history you want to view

$checkuser=‘username’

getting information about the user logon history for the last 14 days (you can change this value)

$startDate = (get-date).AddDays(-14)
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {($.eventID -eq 4624) -or ($.eventID -eq 4634)
foreach ($event in $logonevents){
if (($event.ReplacementStrings[5] -notlike ‘*$’) -and ($event.ReplacementStrings[5] -like $checkuser)) {

Network(Logon Type 3)

if ($event.ReplacementStrings[8] -eq 3){
write-host "Type 3: Network LogontDate: "$event.TimeGenerated "tStatus: SuccesstUser: "$event.ReplacementStrings[5] "tWorkstation: "$event.ReplacementStrings[11] "tIP Address: "$event.ReplacementStrings[18] "tDC Name: " $dc.Name
}
}
}
}
}

Neally · 2024-01-02T15:53:15.000Z

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don't say "Need help" or "PowerShell Help", actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy, past…

https://community.spiceworks.com/how_to/187367-write-better-powershell-scripts

Neally · 2024-01-02T16:15:16.000Z

I’d do something like so

$checkuser = '*username*'
$startDate = (get-date).AddDays(-14)
$DCs = Get-ADDomainController -Filter *

foreach ($DC in $DCs) {
    $logonevents = 
    Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | 
    Where-Object { ($_.eventID -eq 4624) -or ($_.eventID -eq 4634) }

    foreach ($event in $logonevents) {
        if (($event.ReplacementStrings[5] -notlike '*$') -and ($event.ReplacementStrings[5] -like "$checkuser")) {
            # Network(Logon Type 3)
            if ($event.ReplacementStrings[8] -eq 3) {
                [pscustomobject]@{
                    "Type 3: Network Logon Date:" = $event.TimeGenerated
                    "Status: Success User: "      = $event.ReplacementStrings[5] 
                    "Workstation: "               = $event.ReplacementStrings[11]
                    "IP Address: "                = $event.ReplacementStrings[18] 
                    "DC Name: "                   = $dc.Name
                    "EventID"                     = $event.InstanceId
                }
            }
        }
    }
}

michaelcoulter · 2024-01-02T16:31:01.000Z

Hi Neally,

Thanks for the updated script however it is showing the logon events (4624) but not the logoff events (4634)

Do you have any idea as to why that is happening - manual search of the security events does show the user I did a search on has both 4624 and 4634 events listed

Cheers

Mike

Neally · 2024-01-02T16:38:54.000Z

michaelcoulter:

Do you have any idea as to why that is happening

kinda

if ($event.ReplacementStrings[8] -eq 3)

it only shows if the logontype is 3 ?

You have to update your code for more.

There was no way for the code to run the way you posted it…

michaelcoulter · 2024-01-03T12:40:04.000Z

Looking at the event logs - it shows as login type 3 for both login and logoff

Neally · 2024-01-03T18:51:59.000Z

michaelcoulter:

Looking at the event logs - it shows as login type 3 for both login and logoff

And all other conditions are met as well? the username matches?

it seems to work for me.

Neally · 2024-01-03T19:23:39.000Z

Neally:

michaelcoulter:

Looking at the event logs - it shows as login type 3 for both login and logoff

And all other conditions are met as well? the username matches?

it seems to work for me.

I stand corrected it does not work I assume as the Logon and Logoff event have different formats, so “$event.ReplacementStrings[5]” only works for logonevents, not logoff

try like so

$checkuser = '*username*'
$startDate = (get-date).AddDays(-14)
$DCs       = Get-ADDomainController -Filter *

foreach ($DC in $DCs) {
    $logonevents = 
    Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | 
    Where-Object { ($_.eventID -eq 4624) -or ($_.eventID -eq 4634) }
    
    foreach ($event in $logonevents) {
        if ( 
                $event.ReplacementStrings[5] -notlike '*$' -and
                (
                    $event.ReplacementStrings[5] -like "$checkuser" -or
                    $event.ReplacementStrings[1] -like "$checkuser"
                )
        ) {
            # Network(Logon Type 3)
            if (
                $event.ReplacementStrings[8] -eq 3 -or
                $event.ReplacementStrings[4] -eq 3
            ) {
                [pscustomobject]@{
                    "Type :"         = $event.ReplacementStrings[8]
                    "Logon Date:"    = $event.TimeGenerated
                    "Status:"        = $event.EntryType
                    "Success User: " = $event.ReplacementStrings[5] 
                    "Workstation: "  = $event.ReplacementStrings[11]
                    "IP Address: "   = $event.ReplacementStrings[18] 
                    "DC Name: "      = $dc.Name
                    "EventID"        = $event.InstanceId
                }
            }
        }
    }
}

michaelcoulter · 2024-01-04T11:34:31.000Z

Hi Neally - that worked perfectly.

Thanks for your help