I know to use event viewer to check who logged into the system and when. But I am trying to figure out for a particular local user account, say administrator - what all are the login date and time for this particular user in that machine. I use this script and it says me total counts of logon, but not when all. The script is given below.
'Get our list of logons
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NetworkLoginProfile",,48)
'Converts to a readable logon date and time function ConvertTime(sTime)
if (sTime="**************.******+***") then
ConvertTime = "Unknown"
else
if (Trim(sTime)="") then
sTime="Unknown"
else
sYear = Mid(sTime,1,4)
sMonth = Mid(sTime,5,2)
sDay = Mid(sTime,7,2)
sHour = Mid(sTime,9,2)
sMin = Mid(sTime,11,2)
sSec = Mid(sTime,13,2)
end if
ConvertTime = sMonth & "/" & sDay & "/" & sYear & " (" & sHour & ":" & sMin & ":" & sSec & ")"
end if
end function
'Loops through our logon items and only pulls out the
'user accounts...not system accounts that are used
'internally by windows
For Each objItem in colItems
if (objItem.UserType = "Normal Account") then
Wscript.Echo objItem.Name & vbCrLf
Wscript.Echo " Last Logon: " & ConvertTime(objItem.LastLogon)
Wscript.Echo " Number of Logons: " & objItem.NumberOfLogons
if (objItem.Privileges=0) then
WScript.Echo " (Guest Account)"
else if (objItem.Privileges=1) then
WScript.Echo " (Standard User Account)"
else if (objItem.Privileges=2) then
WScript.Echo " (Administrator Account)"
end if
end if
end if
WScript.Echo vbCrLf
end if
Next
Edited to show expected output
Username: LocalPC\Administrator
Logon time: ------
Username: LocalPC\Administrator
Logon time: ------
Can someone please tell me how can I modify this script or is there any other method to check the same in an easiest way asap.? Thanks in advance.
There are many scripts like these on Technet:
Security Log Logon/Logoff Event Reporter This script reads the security log, then displays a chronological record of local and remote logon and logoff activities, including failed attempts if enabled in Group/Local Policy. It allows the input of a date range and a remote hostname if desired.
https://gallery.technet.microsoft.com/Log-Parser-to-Identify-8aac36bd
I cant help with the script but if you need information in a rush and If you are using Server 2012 or Server 2012R2, there is a feature called IPAM. part of the IPAM feature allows you to search information gathered from AD, DNS and DHCP. you can search based on Username, Machine Name or IP Address. it might give you all you need. IPAM is designed to manage DHCP but it has a feature called IP Address tracking https://technet.microsoft.com/en-us/library/jj878332.aspx this TechNet article explains it, it does show time of events. Also if you have access to Group Policy Management you can use Group Policy Results to look at a domain joined PC and see who has logged on there. the report includes information about when the last logon occurred.
Many powershell scripts like this PDXCAT LogonHistory after pipeout for select an specific user.