S3cur3Th1sSh1t/UserLogonEvents.ps1

## UserLogonEvents.ps1
$computers = Get-ADComputer -Filter *
$startDate = (get-date).AddDays(-1)
Write-Host "Please enter the username to search for logon events:"
$username = Read-Host
foreach ($computer in $computers)
{
    $Computernames += $computers.DNSHostName
}

foreach ($System in $Computernames){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $System -after $startDate | where {$_.eventID -eq 4624 } -or {$_.eventID -eq 4625 } -or {$_.eventID -eq 4768 } -or {$_.eventID -eq 4776 } -or {$_.eventID -eq 4672 } -or {$_.eventID -eq 529 } -or {$_.eventID -eq 530 } -or {$_.eventID -eq 531 } -or {$_.eventID -eq 532 } -or {$_.eventID -eq 533 } -or {$_.eventID -eq 535 } -or {$_.eventID -eq 536 } -or {$_.eventID -eq 537 } -or {$_.eventID -eq 4648 } -or {$_.eventID -eq 552 } -or {$_.eventID -eq 4778 } -and {$_.Message -like "*$username*"}}

# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely

  foreach ($e in $slogonevents){
    # Logon Successful Events
    # Local (Logon Type 2)
    if (($e.ReplacementStrings[8] -eq 2)){
      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
    }
    # Remote (Logon Type 10)
    if (($e.ReplacementStrings[8] -eq 10)){
      write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
    }}
	$computers = Get-ADComputer -Filter *
	$startDate = (get-date).AddDays(-1)
	Write-Host "Please enter the username to search for logon events:"
	$username = Read-Host
	foreach ($computer in $computers)
	{
	$Computernames += $computers.DNSHostName
	}

	foreach ($System in $Computernames){
	$slogonevents = Get-Eventlog -LogName Security -ComputerName $System -after $startDate \| where {$_.eventID -eq 4624 } -or {$_.eventID -eq 4625 } -or {$_.eventID -eq 4768 } -or {$_.eventID -eq 4776 } -or {$_.eventID -eq 4672 } -or {$_.eventID -eq 529 } -or {$_.eventID -eq 530 } -or {$_.eventID -eq 531 } -or {$_.eventID -eq 532 } -or {$_.eventID -eq 533 } -or {$_.eventID -eq 535 } -or {$_.eventID -eq 536 } -or {$_.eventID -eq 537 } -or {$_.eventID -eq 4648 } -or {$_.eventID -eq 552 } -or {$_.eventID -eq 4778 } -and {$_.Message -like "$username"}}

	# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely

	foreach ($e in $slogonevents){
	# Logon Successful Events
	# Local (Logon Type 2)
	if (($e.ReplacementStrings[8] -eq 2)){
	write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
	}
	# Remote (Logon Type 10)
	if (($e.ReplacementStrings[8] -eq 10)){
	write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
	}}