Article: Custom Inventory Rule User Login History

My custom inventory rule:

ShellCommandTextReturn(cmd /c powershell.exe -nologo -executionpolicy bypass -noprofile -file "\\10.86.28.238\client\logonactivityajs.ps1")\\

Script:

# Variables

# Path for HTML file output

$htmlfile = ".\LogonActivity.html"

# Table Creation

$LogonActivityTable = New-Object system.Data.DataTable “Logon/Logoff Activity”

# Create Columns

$date = New-Object system.Data.DataColumn "Date",([string])

$type = New-Object system.Data.DataColumn "Type",([string])

$status = New-Object system.Data.DataColumn "Status",([string])

$user = New-Object system.Data.DataColumn "User",([string])

$ipaddress = New-Object system.Data.DataColumn "IPAddress",([string])

# Add Columns to Table

$LogonActivityTable.columns.add($date)

$LogonActivityTable.columns.add($type)

$LogonActivityTable.columns.add($status)

$LogonActivityTable.columns.add($user)

$LogonActivityTable.columns.add($ipaddress)

$hostname = $env:computername

$startDate = "1/1/2000"

$endDate = get-date

$scope = "N"

# Writes a line with all the parameters selected for report

write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n"

# Store each event from the Security Log with the specificed dates and computer in an array

$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate

# Loop through each security event, print only failed login attempts

if ($scope -match "Y"){

foreach ($i in $log){

# Logon Failure Events

# Local

if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Local"

$row.status = "Failure"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = ""

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Remote

if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Remote"

$row.status = "Failure"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = $i.ReplacementStrings[19]

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote

else{

foreach ($i in $log){

# Logon Successful Events

# Local (Logon Type 2)

if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Local"

$row.status = "Success"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = ""

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Remote (Logon Type 10)

if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Remote"

$row.status = "Success"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = $i.ReplacementStrings[18]

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Logon Failure Events

# Local

if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Local"

$row.status = "Failure"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = ""

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Remote

if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logon - Remote"

$row.status = "Failure"

$row.user = $i.ReplacementStrings[5]

$row.ipaddress = $i.ReplacementStrings[19]

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Logoff Events

if ($i.EventID -eq 4647 ){

# Create a Row

$row = $LogonActivityTable.NewRow()

# Enter Data into the Row

$row.date = $i.TimeGenerated

$row.type = "Logoff"

$row.status = "Success"

$row.user = $i.ReplacementStrings[1]

$row.ipaddress = ""

# Add the Row to the Table

$LogonActivityTable.Rows.Add($row)

}

# Outputs

# Table

if ($output -match "T"){

$LogonActivityTable | Format-Table

}

# HTML

elseif ($output -match "H"){

# HTML Styles

$style = "<style>"

$style = $style + "BODY{background-color:#F2F2F2;}"

$style = $style + "TABLE{border-width: 1px;border-style: solid;border-color: black;}"

$style = $style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:#BDBDBD}"

$style = $style + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:#D8D8D8}"

$style = $style + "</style>"

$LogonActivityTable | Select-Object Date, Type, Status, User, IPAddress | ConvertTo-Html -head $style -body "<h2>Logon Activity:</h2>" | Out-File $htmlfile

Invoke-Expression $htmlfile

}

# Grid View

elseif ($output -match "G"){

$LogonActivityTable | Out-GridView -Title "Logon Activity"

}

# Default output, returns the table object in list form by default

else{

$LogonActivityTable

}

Comments

Custom Inventory rules run as system so did you give all computer accounts access to the share your script is hosted on? - chucksteel 9 years ago
My script is hosted within the KACE Samba share. - revsmitty 9 years ago
I just wanted to say thank you for being willing to post this script. I know it must have taken a lot of time to go through and match the required events and parameters up to be able to export it out as usable. So thanks! - gcgreen 7 years ago

This post is locked

Custom Inventory Rule User Login History

Comments

Posted by:

Related Posts

Custom Inventory Rule User Login History

Comments

Posted by:

Don't be a Stranger!

Related Posts

Share