If you are in an AD environment, checking out the logon activities on certain users can be done through the Security log on the domain controller. However, reading through these log entries can be time-consuming. The workaround is to retrieve the logon activities right from the desktop computer if you know which computer to look to.
It’s actually way easier. To retrieve the logon activities from a remote computer for the past 7 days, all you need is to run this.
Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-7) -ComputerName $computer
However, in order to pull the event log from a remote computer, the Remote Registry service needs to be running on that computer. It’s disabled by default for security reasons.
You will need to reenable the service and start it before pulling the log entries.
Invoke-Command -ComputerName $computer -ScriptBlock {
$service = 'RemoteRegistry'
Set-Service -Name $service -StartupType Manual
Start-Service -Name $service
}
Once done, you will need to stop and disable it too.
Invoke-Command -ComputerName $computer -ScriptBlock {
$service = 'RemoteRegistry'
Stop-Service -Name $service
Set-Service -Name $service -StartupType Disabled
}
So, putting everything all together,
$computer = Read-Host "Coomputer Name:"
Invoke-Command -ComputerName $computer -ScriptBlock {
$service = 'RemoteRegistry'
Set-Service -Name $service -StartupType Manual
Start-Service -Name $service
}
$logs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-7) -ComputerName $computer
ForEach ($log in $logs){
$user = Get-ADUser -Filter * | Where-Object {$_.SID -eq $log.ReplacementStrings[1]}
$log.TimeGenerated.ToString() + ' - ' + $user.Name + ' - ' + $log.Message
}
Invoke-Command -ComputerName $computer -ScriptBlock {
$service = 'RemoteRegistry'
Stop-Service -Name $service
Set-Service -Name $service -StartupType Disabled
}
Bonus point, I’ve formatted the output with a real username as well.