Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 435
Reply with quote  #1 
Wrote this to help get details on WHO was logging into Specific Servers without having to hit all of the Domain Controllers.

This is being used as a temporary method for a couple of specific servers.

This will show the Clients UserID, Date, Client PC Name, Client IP Address as well as the Target Server.

I am saving the info in C:\TEMP which the Administrators of the Server can check as needed.

Code:

[pscustomobject]@{
    'Computer' = $env:ComputerName
    'User' = $env:UserName
    'Date' = Get-Date
    'Client' = $env:ClientName
    'Client IP' = [System.Net.Dns]::GetHostEntry([string]$env:ClientName).AddressList.IPAddressToString
} | Export-Csv -Path C:\Temp\PoshLoggedOnUsers.csv -Append -NoTypeInformation



I created a .BAT file that calls the .PS1 script by enabling "Run Script At Login" via a  Local Group Policy setting - 

"User Configuration\Administrative Templates\System\Logon\Run these programs at user logon"

There I have added this BAT file -

Code:

@echo off
::PoshLoggedOnUsersBAT.bat
powershell -nologo -file C:\Temp\PoshLoggedOnUsers.ps1 -windowstyle hidden -executionpolicy bypass


The results look like this -


Computer

User

Date

Client

Client IP

 

TargetServerS04

johnDoe2

8/30/2016 9:37

Laptop-BR6M8

172.10.03.104

TargetServerS04

johnDoe1

8/30/2016 10:01

Laptop-BR549

172.10.02.253

TargetServerS04

CommonUser

8/31/2016 11:39

Laptop-BR549

172.10.02.10



Note that Laptop-BR549 was listed twice showing that a Common UserID was used but I still was able to see the Clients PC and current DHCP IP Address...

Again, this is being used as a temporary method for a couple of specific servers.  But its working great!




__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
jhicks

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #2 
Another option instead of writing to a CSV file is to record the information in an event log. You could create a custom eventlog:

New-EventLog -LogName Company -Source "Test","Logging","Script"

and then write to it
$a = [pscustomobject]@{
    'Computer' = $env:ComputerName
    'User' = $env:UserName
    'Date' = Get-Date
    'Client' = $env:ClientName
    'Client IP' = [System.Net.Dns]::GetHostEntry([string]$env:ClientName).AddressList.IPAddressToString
}

Write-EventLog -LogName Company -Source Test -EntryType Information -eventid 1 -Message ($a | out-string)

Or add a source to an existing log:

New-Eventlog -LogName System -Source "PSScript"
Write-EventLog -LogName System -Source PSScript -EntryType Information -eventid 1 -Message ($a | out-string)




0
jsclmedave

Administrator
Registered:
Posts: 435
Reply with quote  #3 
Quote:
Originally Posted by jhicks
Another option instead of writing to a CSV file is to record the information in an event log. You could create a custom eventlog:

New-EventLog -LogName Company -Source "Test","Logging","Script"

and then write to it
$a = [pscustomobject]@{
    'Computer' = $env:ComputerName
    'User' = $env:UserName
    'Date' = Get-Date
    'Client' = $env:ClientName
    'Client IP' = [System.Net.Dns]::GetHostEntry([string]$env:ClientName).AddressList.IPAddressToString
}

Write-EventLog -LogName Company -Source Test -EntryType Information -eventid 1 -Message ($a | out-string)

Or add a source to an existing log:

New-Eventlog -LogName System -Source "PSScript"
Write-EventLog -LogName System -Source PSScript -EntryType Information -eventid 1 -Message ($a | out-string)






Thanks Jeff!  It looks like this issue is getting worse so they are looking at applying it to several specific servers.

I also suggested enabling auditing in the Event Logs and since we already use SPLUNK for other event logs, add these and let that do the sorting and alerting. 




__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: