Powershell脚本审核远程桌面用户登录
[英]Powershell script Audit Remote Desktop users logon
问题描述
I found a script that logs all users of RDS servers which works great; 
我找到了一个脚本,用于记录RDS服务器的所有用户,效果很好。
However I want to make it specific for 1 user, not all users. 但是我想使其特定于1个用户,而不是所有用户。
I really don't know powershell so need some help. 我真的不知道powershell,所以需要一些帮助。
Param(
[array]$ServersToQuery = (hostname),
[datetime]$StartTime = "January 1, 1970"
) )
foreach ($Server in $ServersToQuery) {
$LogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = (get-date).adddays(-7)
}
$AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server
$AllEntries | Foreach {
$entry = [xml]$_.ToXml()
[array]$Output += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $entry.Event.UserData.EventXML.User
IPAddress = $entry.Event.UserData.EventXML.Address
EventID = $entry.Event.System.EventID
ServerName = $Server
}
}
}
$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"logon"}
if ($_.EventID -eq '22'){"Shell start"}
if ($_.EventID -eq '23'){"logoff"}
if ($_.EventID -eq '24'){"disconnected"}
if ($_.EventID -eq '25'){"reconnection"}
}
}
$Date = (Get-Date -Format s) -replace ":", "."
$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"
$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation
Write-host "Writing File: $FilePath" -ForegroundColor Cyan Write-host "Done!" 写入主机“写入文件:$ FilePath” -ForegroundColor青色写入主机“完成!” -ForegroundColor Cyan -前景颜色青色
1 个解决方案
解决方案1
1 已采纳 2019-02-21 05:28:54
So, you say … 所以你说 …
(I really don't know powershell so need some help.)
..., but point to a very advanced PowerShell script you want to use. ...,但是指向您要使用的非常高级的PowerShell脚本。
It is vital that you do not use anyone's code that you do not fully understand what it is doing from anyone. 至关重要的是,不要使用任何人的代码,否则您将无法完全理解任何人的代码在做什么。 You could seriously damage / compromise your system(s) and or you entire enterprise. 您可能会严重损坏/损害您的系统或整个企业。 Please ramp up to protect yourself, your enterprise and avoid unnecessary confusion, complications, issues, errors and frustration you are going to encounter: 请加强保护自己和您的企业,避免不必要的混乱,复杂性,问题,错误和挫败感:
As for your query... 至于你的查询...
However I want to make it specific for 1 user, not all users.
… Though the script returns all users, you can just filter / prompt for the one user you are after, without changing anything about the authors code. …尽管脚本返回了所有用户,但是您只需要过滤/提示您所寻找的一个用户,而无需更改作者代码。
Prompt for a user by adding an additional parameter in that param block 通过在该参数块中添加其他参数来提示用户
[string]$targetUser = (Read-Host -Prompt 'Enter a username')
In that $FilteredOutput section, is where you'd use the additional $targetUser parameter, using the Where-Object cmdlet or string matching there or in the …. 在该$ FilteredOutput部分中,您将在其中或…中使用Where-Object cmdlet或匹配的字符串,使用附加的$ targetUser参数。
$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation
… section. … 部分。 Something like... 就像是...
($FilteredOutput -match $TargetUser) | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation
I do not have an environment to test this, so, I'll leave that up to you. 我没有测试的环境,因此,我将把它留给您。
$FilteredOutput | $ FilteredOutput | Sort TimeCreated | 创建时间排序| Export-Csv $FilePath -NoTypeInformation This is all basic PowerShell 'using parameters' use case, and covered in all beginning PowerShell courses, books, websites, and built-in PowerShell help files. Export-Csv $ FilePath -NoTypeInformation这是所有基本的PowerShell“使用参数”用例,并且在所有入门的PowerShell课程,书籍,网站和内置的PowerShell帮助文件中都有介绍。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.