在AD中的计算机上获取LastLogonUser和LastLogonDate [英] Get LastLogonUser and LastLogonDate on computers in AD
问题描述
我们可以使用
Get-ADComputer $computerName -Properties LastLogonDate
获得LastLogonDate
.但是如何知道上次登录的用户? Get-ADUser
具有LastLogon
属性,但是似乎我们无法使用它来确定用户登录哪台计算机.
to get LastLogonDate
. But how to know which user did the Last Logon? Get-ADUser
has a LastLogon
property, but it seems we could not use it to decide which computer the user logon.
推荐答案
在这种情况下,您误解了LastLogonDate
的含义.这是该计算机帐户最后一次针对该域进行身份验证的时间戳,而不是用户最后一次登录该特定计算机的时间戳.
You're misunderstanding the meaning of LastLogonDate
in this context. It's the timestamp of when the computer account last authenticated against the domain, not the timestamp of when a user last logged into that particular computer.
要确定哪个用户最后登录到特定计算机,您需要在该计算机上启用登录事件审核,并从安全性"事件日志中提取信息(请参阅
To determine which user last logged into a specific computer you need to have logon event auditing enabled on that machine and extract the information from the Security eventlog (see here):
$computer = '...'
Get-EventLog Security -Computer $computer -InstanceId 4624 -EntryType SuccessAudit |
Where-Object {
$_.Message -match 'logon type:\s+(2|10)\s' -and
$_.Message -match 'new logon:[\s\S]*?account name:\s+(.*?)\s'
} |
Sort-Object TimeGenerated -Desc |
Select-Object -First 1 TimeGenerated, @{n='Account';e={$matches[1]}}
要限制从远程主机检索到的数据量,我建议使用开始日期(-After
)运行Get-EventLog
.否则,处理整个安全事件日志可能会花费很多时间.
To limit the amount of data that is retrieved from the remote host I'd suggest to run Get-EventLog
with a starting date (-After
). Processing the entire Security eventlog could take a lot of time otherwise.
这篇关于在AD中的计算机上获取LastLogonUser和LastLogonDate的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!