Get-NtlmLogonEvents

0.2.0-preview0001

PowerShell module to audit NTLM authentication events from Windows Security and NTLM Operational logs. Filters by NTLMv1/v2, failed logons, privileged sessions (4672), date ranges, and null sessions. Validates NTLM audit GPO settings. Targets localhost, remote servers, domain controllers, or an entire AD forest.

Minimum PowerShell version

5.0

This is a prerelease version of Get-NtlmLogonEvents.
There is a newer prerelease version of this module available.
See the version list below for details.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Get-NtlmLogonEvents -RequiredVersion 0.2.0-preview0001 -AllowPrerelease

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name Get-NtlmLogonEvents -Version 0.2.0-preview0001 -Prerelease

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) Jan Tiedemann. All rights reserved.

Package Details

Author(s)

  • Jan Tiedemann

Tags

NTLM Security EventLog Authentication Audit ActiveDirectory

Functions

Get-NtlmLogonEvents

Dependencies

This module has no dependencies.

Release Notes

## [0.2.0-preview0001] - 2026-04-01

### Added

- For new features.

### Changed

- For changes in existing functionality.

### Deprecated

- For soon-to-be removed features.

### Removed

- For now removed features.

### Fixed

- For any bug fix.

### Security

- In case of vulnerabilities.

FileList

Version History

Version Downloads Last updated
5.3.0-previe... 2 4/1/2026
5.2.0 2 4/1/2026
5.1.0 2 4/1/2026
1.0.0 2 4/1/2026
0.2.0-previe... (current version) 3 4/1/2026