Scripts/OS/LastInteractiveUser.ps1
|
#$ComputerName=$env:COMPUTERNAME #$Win32_LocalTime=Get-WmiObject -Class Win32_LocalTime -Namespace root\cimv2 -ComputerName $ComputerName #$Win32_ComputerSystem=Get-WmiObject -Class Win32_ComputerSystem -Namespace root\cimv2 -ComputerName $ComputerName $LastInteractiveUser=$Win32_ComputerSystem.username if ($LastInteractiveUser -eq $null) { if ($Protocol -eq "WSMAN") { try { $Script:FoundEvent=$false Get-EventLog -LogName Security -InstanceId 4624 | Where-Object {$_.ReplacementStrings -eq 2} | foreach { Write-Verbose "$Computername Found Type2 event" $Type2Event=$_ [array]$Messages=$Type2Event.ReplacementStrings | Select-Object -First 10 $SelectMessage=$Messages | Select-String -Pattern "S-1-5-21.+" -Context 2 if ($SelectMessage -ne $null) { Write-Verbose "$Computername Found interactive user" $UserName=$SelectMessage.Context.PostContext[0] $UserDomain=$SelectMessage.Context.PostContext[1] $UserSid=$SelectMessage.Line $FullName=$UserDomain+"\$UserName" #$LoginTime=$WmiObject.ConvertToDateTime($($Type2Event.TimeGenerated)) #$PsObject=New-Object -TypeName psobject #$PsObject | Add-Member -MemberType NoteProperty -Name FullName -Value $FullName #$PsObject | Add-Member -MemberType NoteProperty -Name LoginTime -Value $LoginTime #$PsObject $FullName $Script:FoundEvent=$True throw } } }catch{} if (!($Script:FoundEvent)) { Write-Verbose "$Computername Interactive user not found" -Verbose } } else { [int]$SeeHours=12 [int]$MaxHours=1440 #(60 days) if ($Credential) { $Win32_LocalTime=Get-WmiObject -Class Win32_LocalTime -Namespace root\cimv2 -ComputerName $ComputerName -Credential $Credential } else { $Win32_LocalTime=Get-WmiObject -Class Win32_LocalTime -Namespace root\cimv2 -ComputerName $ComputerName } $currentDate= Get-Date -Year $Win32_LocalTime.Year -Month $Win32_LocalTime.Month -Day $Win32_LocalTime.Day -Hour $Win32_LocalTime.Hour -Minute $Win32_LocalTime.Minute -Second $Win32_LocalTime.Second [int]$Script:CurentHoursCount=0 function GetEvent { [cmdletbinding()] param( [parameter(Mandatory=$true)] [int]$SeeHours, [parameter(Mandatory=$true)] $StartDate, [parameter(Mandatory=$true)] [int]$MaxHours ) [wmi]$WmiObject='' $DateHoursAgo=$StartDate.AddHours(-$SeeHours) $WmiStartDate=$WmiObject.ConvertFromDateTime($StartDate) $WmiDateHoursAgo=$WmiObject.ConvertFromDateTime($DateHoursAgo) Write-Verbose "$ComputerName GetEvents Start $StartDate End $DateHoursAgo" if ($Credential) { [array]$LogEntries=get-wmiobject -query "Select * From Win32_NTLogEvent Where LogFile = 'Security' and TimeWritten < '$WmiStartDate' And TimeWritten > '$WmiDateHoursAgo' And EventCode = 4624" -Namespace root\cimv2 -ErrorAction Stop -ComputerName $ComputerName -Credential $Credential } else { [array]$LogEntries=get-wmiobject -query "Select * From Win32_NTLogEvent Where LogFile = 'Security' and TimeWritten < '$WmiStartDate' And TimeWritten > '$WmiDateHoursAgo' And EventCode = 4624" -Namespace root\cimv2 -ErrorAction Stop -ComputerName $ComputerName } if ($LogEntries.count -ge 1) { $Type2Events=$LogEntries | Where-Object {$_.InsertionStrings -eq 2} if ($Type2Events -ne $null) { foreach ($Type2Event in $Type2Events) { [array]$Messages=$Type2Event.InsertionStrings | Select-Object -First 10 $SelectMessage=$Messages | Select-String -Pattern "S-1-5-21.+" -Context 2 if ($SelectMessage -ne $null) { $UserName=$SelectMessage.Context.PostContext[0] $UserDomain=$SelectMessage.Context.PostContext[1] $UserSid=$SelectMessage.Line $FullName=$UserDomain+"\$UserName" #$LoginTime=$WmiObject.ConvertToDateTime($($Type2Event.TimeGenerated)) #$PsObject=New-Object -TypeName psobject #$PsObject | Add-Member -MemberType NoteProperty -Name FullName -Value $FullName #$PsObject | Add-Member -MemberType NoteProperty -Name LoginTime -Value $LoginTime #$PsObject $FullName $Script:FoundEvent=$True break } } } else { Write-Verbose "No interactive logon records for last $SeeHours hour(s)" } } $Script:CurentHoursCount+=$SeeHours Write-Verbose "$Script:CurentHoursCount $SeeHours" $LastLogEntry=$LogEntries | Select-Object -Last 1 if ($Script:CurentHoursCount -lt $MaxHours -and !($Script:FoundEvent)) { GetEvent -StartDate $DateHoursAgo -SeeHours $SeeHours -MaxHours $MaxHours } elseif(!($Script:FoundEvent)) { Write-Verbose "$ComputerName Interactive user not found for last $MaxHours Hour(s)" -Verbose } } GetEvent -StartDate $CurrentDate -SeeHours $SeeHours -MaxHours $MaxHours } } else { $LastInteractiveUser } |