Auditing Windows Remote Desktop logon/logoff

PowerShell Help
1

Hi Guru’s,

I pinched a script that would allow me to generate a report of a list of users who log onto our remote desktop servers which is great - link here - Browse code samples | Microsoft Docs

I have made some small changes to grab only the last week of logon attempts however I also want to filter the script to only grab results from a specific users, not all of them.

I’m really dumb at powershell so need some help…

 

<#

.SYNOPSIS
This script reads the event log “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” from
multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native
Windows Event Viewer.

Version: November 9, 2016

.DESCRIPTION
This script reads the event log “Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” from
multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native
Windows Event Viewer.

NOTE: Despite this log’s name, it includes both RDP logins as well as regular console logins too.

Author:
Mike Crowley

.EXAMPLE

.\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime “November 1”

.LINK

#>

Param(
[array]$ServersToQuery = (hostname),
[datetime]$StartTime = “January 1, 1970”
)

foreach ($Server in $ServersToQuery) {

$LogFilter = @{
LogName = ‘Microsoft-Windows-TerminalServices-LocalSessionManager/Operational’
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}

$AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

$AllEntries | Foreach {
$entry = [xml]$.ToXml()
[array]$Output += New-Object PSObject -Property @{
TimeCreated = $.TimeCreated
User = $entry.Event.UserData.EventXML.User
IPAddress = $entry.Event.UserData.EventXML.Address
EventID = $entry.Event.System.EventID
ServerName = $Server
}
}

}

$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name=‘Action’;Expression={
if ($.EventID -eq ‘21’){“logon”}
if ($.EventID -eq ‘22’){“Shell start”}
if ($.EventID -eq ‘23’){“logoff”}
if ($.EventID -eq ‘24’){“disconnected”}
if ($_.EventID -eq ‘25’){“reconnection”}
}
}

$Date = (Get-Date -Format s) -replace “:”, “.”
$FilePath = “$env:USERPROFILE\Desktop$Date`_RDP_Report.csv”
$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

Write-host “Writing File: $FilePath” -ForegroundColor Cyan
Write-host “Done!” -ForegroundColor Cyan

#End

2

Since you also say…

I'm really dumb at powershell so need some help.....

Decrease your confusion, misconceptions, errors, etc… by getting some more ramp up on PS overall.

https://www.reddit.com/r/PowerShell/comments/ar6cvt/powershell_in_depth_second_edition/egmlpom/?context=3 https://www.reddit.com/r/PowerShell/comments/afqmmw/i_want_to_help_my_husband_advance_his_powershell/ee3k6p6/?context=3

And this…

This question looks awfully familiar, and I know I answered this on another site, or something very close to it. Which was accepted there.

However, you don’t say what you have tried or even searched for to get you going. String matching is a very common PowerShell introductory thing and tons of examples all over the web and in the resource you can use in the ‘Free Resources’ link in the left navigation pane.

It’s as simple as, just pull the list as is and filter to a match of the users you want either using RegEx or a ForLoop string match.
Off the top of my head, something like.

# Match users in list using RegEx.
(Import-Csv -Path "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv") -Match 'RdpUser1|RdpUser2|RdpUser3'

# Using a Forloop
$RdpUserLookup = 'RdpUser1','RdpUser2','RdpUser3'
Import-Csv -Path "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv" | 
ForEach{$($PSITem.Name) -eq $RdpUserLookup}

Or you need to a an additional parameter to that param block and use that as the filter in the rest of the code.

$FilteredOutput -match $RdpUserName | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation