obtener_los_usuarios_que_iniciaron_sesion_en_las_ultimas_n_horas
Q:
How can I get the user logins to a specific server in the last 6 hours? It's an AVD session host server. I have access to the event viewer but maybe I could query the logs through powershell. Thank you!
A:
To retrieve user logins to a specific server in the last 6 hours, you can use PowerShell and the Get-WinEvent cmdlet to query the event logs. Here's an example script:
- getLoginEvents.ps1
$server = "your-server-name" $startTime = (Get-Date).AddHours(-6) $events = Get-WinEvent -ComputerName $server -FilterHashtable @{ LogName = "Security" ID = 4624 StartTime = $startTime } -ErrorAction SilentlyContinue $loginEvents = $events | Where-Object { $_.Properties[8].Value -eq 10 } $users = $loginEvents | ForEach-Object { $userName = $_.Properties[5].Value [PSCustomObject]@{ UserName = $userName Time = $_.TimeCreated } } $users
Here's how the script works:
- Set the
$servervariable to the name of the target server. - Set the
$startTimevariable to the desired start time (in this case, 6 hours ago from the current time). - Use
Get-WinEventto retrieve the Security events from the specified server that have an event ID of 4624 (logon events) and occurred after the specified start time. - Filter the events to include only successful logon events (where the logon type is 10, which represents a remote interactive logon).
- Extract the relevant properties, such as the username and time of the logon event.
- Output the list of users and their corresponding logon times.
Make sure to replace “your-server-name” with the actual name of the server you want to query. Additionally, adjust the filter or output format as needed based on your specific requirements.
Please note that you might need administrative privileges or appropriate permissions to access the event logs on the remote server.
obtener_los_usuarios_que_iniciaron_sesion_en_las_ultimas_n_horas.txt · Last modified: 2024/10/17 21:42 by 127.0.0.1