在AD中的计算机上获取LastLogonUser和LastLogonDate [英] Get LastLogonUser and LastLogonDate on computers in AD

问题描述

我们可以使用

Get-ADComputer $computerName -Properties LastLogonDate

获得LastLogonDate.但是如何知道上次登录的用户? Get-ADUser具有LastLogon属性，但是似乎我们无法使用它来确定用户登录哪台计算机.

to get LastLogonDate. But how to know which user did the Last Logon? Get-ADUser has a LastLogon property, but it seems we could not use it to decide which computer the user logon.

推荐答案

在这种情况下，您误解了LastLogonDate的含义.这是该计算机帐户最后一次针对该域进行身份验证的时间戳，而不是用户最后一次登录该特定计算机的时间戳.

You're misunderstanding the meaning of LastLogonDate in this context. It's the timestamp of when the computer account last authenticated against the domain, not the timestamp of when a user last logged into that particular computer.

要确定哪个用户最后登录到特定计算机，您需要在该计算机上启用登录事件审核，并从安全性"事件日志中提取信息(请参阅

To determine which user last logged into a specific computer you need to have logon event auditing enabled on that machine and extract the information from the Security eventlog (see here):

$computer = '...'

Get-EventLog Security -Computer $computer -InstanceId 4624 -EntryType SuccessAudit |
    Where-Object {
        $_.Message -match 'logon type:\s+(2|10)\s' -and
        $_.Message -match 'new logon:[\s\S]*?account name:\s+(.*?)\s'
    } |
    Sort-Object TimeGenerated -Desc |
    Select-Object -First 1 TimeGenerated, @{n='Account';e={$matches[1]}}

要限制从远程主机检索到的数据量，我建议使用开始日期(-After)运行Get-EventLog.否则，处理整个安全事件日志可能会花费很多时间.

To limit the amount of data that is retrieved from the remote host I'd suggest to run Get-EventLog with a starting date (-After). Processing the entire Security eventlog could take a lot of time otherwise.

这篇关于在AD中的计算机上获取LastLogonUser和LastLogonDate的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！