functions/local/Get-LocalUserStatistics.ps1
|
function Get-LocalUserStatistics { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $Name, [Parameter(Mandatory = $true)] [string] $SID ) # RDP Logons $rdpEvents = Get-WinEvent -FilterXml @' <QueryList> <Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"> <Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-LocalSessionManager'] and (EventID=41)]]</Select> </Query> </QueryList> '@ | Where-Object { $_.Properties[0].Value -Like "*\$Name" } # Security Log Logons $logonEvents = Get-WinEvent -FilterXml @" <QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task = 12544) and (EventID=4624)]] and *[EventData[Data[@Name='TargetUserSid'] and (Data='$SID')]] </Select> </Query> </QueryList> "@ # Security Log Logon Errors $logonErrors = Get-WinEvent -FilterXml @" <QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task = 12544) and (EventID=4625)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='$Name')]] </Select> </Query> </QueryList> "@ # User Rights Assignments #TODO: Implement [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME UserName = $Name UserSID = $SID LastLogon = ($logonEvents | Sort-Object -Property TimeCreated -Descending)[0].TimeCreated RDPEvents = $rdpEvents LogonEvents = $logonEvents LogonErrors = $logonErrors } } |