0

I know to use event viewer to check who logged into the system and when. But I am trying to figure out for a particular local user account, say administrator - what all are the login date and time for this particular user in that machine. I use this script and it says me total counts of logon, but not when all. The script is given below.

'Get our list of logons
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NetworkLoginProfile",,48)

'Converts to a readable logon date and time function ConvertTime(sTime)
if (sTime="**************.******+***") then
ConvertTime = "Unknown"
else
if (Trim(sTime)="") then
sTime="Unknown"
else
 sYear = Mid(sTime,1,4)
 sMonth = Mid(sTime,5,2)
 sDay = Mid(sTime,7,2)
 sHour = Mid(sTime,9,2)
 sMin = Mid(sTime,11,2)
 sSec = Mid(sTime,13,2)
end if 
ConvertTime = sMonth & "/" & sDay & "/" & sYear & " (" & sHour & ":" & sMin & ":" & sSec & ")"
end if
end function

'Loops through our logon items and only pulls out the 
'user accounts...not system accounts that are used
'internally by windows

For Each objItem in colItems
 if (objItem.UserType = "Normal Account") then
 Wscript.Echo objItem.Name & vbCrLf
 Wscript.Echo " Last Logon: " & ConvertTime(objItem.LastLogon)
 Wscript.Echo " Number of Logons: " & objItem.NumberOfLogons 
  if (objItem.Privileges=0) then
   WScript.Echo " (Guest Account)"
  else if (objItem.Privileges=1) then
   WScript.Echo " (Standard User Account)"
   else if (objItem.Privileges=2) then
    WScript.Echo " (Administrator Account)"
   end if
 end if
end if
WScript.Echo vbCrLf
end if  
Next

Edited to show expected output

Username: LocalPC\Administrator
Logon time: ------
Username: LocalPC\Administrator
Logon time: ------

Can someone please tell me how can I modify this script or is there any other method to check the same in an easiest way asap.? Thanks in advance.

Vysakh
  • 13
  • 4

3 Answers3

0

There are many scripts like these on Technet:

Security Log Logon/Logoff Event Reporter This script reads the security log, then displays a chronological record of local and remote logon and logoff activities, including failed attempts if enabled in Group/Local Policy. It allows the input of a date range and a remote hostname if desired.

https://gallery.technet.microsoft.com/Log-Parser-to-Identify-8aac36bd

Sum1sAdmin
  • 1,934
  • 1
  • 12
  • 20
  • Thanks, but I need to filter all the logon events of a particular user. How can I edit it then.? – Vysakh Apr 13 '16 at 15:53
0

I cant help with the script but if you need information in a rush and If you are using Server 2012 or Server 2012R2, there is a feature called IPAM. part of the IPAM feature allows you to search information gathered from AD, DNS and DHCP. you can search based on Username, Machine Name or IP Address. it might give you all you need. IPAM is designed to manage DHCP but it has a feature called IP Address tracking https://technet.microsoft.com/en-us/library/jj878332.aspx this TechNet article explains it, it does show time of events. Also if you have access to Group Policy Management you can use Group Policy Results to look at a domain joined PC and see who has logged on there. the report includes information about when the last logon occurred.

Michael Brown
  • 3,254
  • 2
  • 11
  • 11
0

Many powershell scripts like this PDXCAT LogonHistory after pipeout for select an specific user.

Ozwaldo Ortiz
  • 51
  • 4