Last Login Time via Event ID

Last Login Time via Event ID

<#
Date:  June 3, 2016

Summary:  This script can be used to list the user accounts that have logged
into the Remote Desktop Server defined in the $ComputerName parameter.  It searches 
the "TerminalServices-LocalSessionManager" event log for event ID 21.

To run the script, enter:  .\Get-TerminalServerLogins.ps1 -ComputerName localhost

Where the ComputerName paramter can either be a local host, or a remote host.

The output is written to the PowerShell console.

#>

Param(
  [Parameter(Mandatory=$True,
             HelpMessage="`nEnter a local or remote hostname for the ComputerName parameter.`n 
Usage:  .\Get-TerminalServerLogins.ps1 -ComputerName localhost`n")]
  [string]$ComputerName
)

$colEvents = Get-WinEvent -ComputerName $ComputerName -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | 
Where {$_.ID -eq "21"} | 
Select -Property TimeCreated, Message
Write-Host "Login Time,Username"
Foreach ($Event in $colEvents)
{
  $EventTimeCreated = $Event.TimeCreated
  $EventMessage = $Event.Message -split "`n" | Select-Object -Index "2"
  $EventMessageUser = $EventMessage.Substring(6)
  Write-Host "$EventTimeCreated,$EventMessageUser"
}

Leave a Reply

Your email address will not be published. Required fields are marked *