<#
Date: June 3, 2016
Summary: This script can be used to list the user accounts that have logged
into the Remote Desktop Server defined in the $ComputerName parameter. It searches
the "TerminalServices-LocalSessionManager" event log for event ID 21.
To run the script, enter: .\Get-TerminalServerLogins.ps1 -ComputerName localhost
Where the ComputerName paramter can either be a local host, or a remote host.
The output is written to the PowerShell console.
#>
Param(
[Parameter(Mandatory=$True,
HelpMessage="`nEnter a local or remote hostname for the ComputerName parameter.`n
Usage: .\Get-TerminalServerLogins.ps1 -ComputerName localhost`n")]
[string]$ComputerName
)
$colEvents = Get-WinEvent -ComputerName $ComputerName -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
Where {$_.ID -eq "21"} |
Select -Property TimeCreated, Message
Write-Host "Login Time,Username"
Foreach ($Event in $colEvents)
{
$EventTimeCreated = $Event.TimeCreated
$EventMessage = $Event.Message -split "`n" | Select-Object -Index "2"
$EventMessageUser = $EventMessage.Substring(6)
Write-Host "$EventTimeCreated,$EventMessageUser"
}