Powershell The last logon user in the remote computer

Question

I want a script that collects all logons from the organization's computers, and shows the last user logon and the most user's access in the computer.

I run this script from domain controller, but i only get the computer and the last logon, I don't have the last user logon or the frequency of logon.

Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate, user -Autosize

Answer 1

You can search the security event logs on a machine to get its last login.

$startDate = (Get-Date) - (New-TimeSpan -Day 5)
$UserLoginTypes = 2,7
Get-WinEvent  -FilterHashtable @{Logname='Security';ID=4624;StartTime=$startDate}  | SELECT TimeCreated, @{N='Username'; E={$_.Properties[5].Value}}, @{N='LogonType'; E={$_.Properties[8].Value}} | WHERE {$UserLoginTypes -contains $_.LogonType}  | Sort-Object TimeCreated | SElect -last 1

That will search the last 7 days for interactive logins or unlocks on the computer and return the most recent one.

Update to get most logged in:

$startDate = (Get-Date) - (New-TimeSpan -Day 7)
$UserLoginTypes = 2,7
Get-WinEvent  -FilterHashtable @{Logname='Security';ID=4624;StartTime=$startDate}  | SELECT TimeCreated, @{N='Username'; E={$_.Properties[5].Value}}, @{N='LogonType'; E={$_.Properties[8].Value}} | WHERE {$UserLoginTypes -contains $_.LogonType}  | group UserName |  Sort-Object Count | Select -last 1