Get-RemoteDesktopLogons.ps1
|
function Get-RemoteDesktopLogons { <# .SYNOPSIS Short Description .DESCRIPTION Detailed Description .EXAMPLE Get-RemoteDesktopLogons explains how to use the command can be multiple lines .EXAMPLE Get-RemoteDesktopLogons another example can have as many examples as you like #> [CmdletBinding()] param ( [Parameter(Mandatory=$false, Position=0)] [System.String] $computer = 'localhost', [Parameter(Mandatory=$false, Position=1)] [System.Int32] $daysToReport = 2 ) foreach ($c in $computer) { $events = Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -ComputerName $c | where { ($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25" -OR $_.Id -eq "23") } | Where {$_.TimeCreated -gt (Get-Date).AddDays(-$daysToReport)} $events $Results = Foreach ($Event in $Events) { $Result = "" | Select Message,User,TimeCreated,NetworkAddr $Result.TimeCreated = $Event.TimeCreated Foreach ($MsgElement in ($Event.Message -split "`n")) { $Element = $MsgElement -split ":" If ($Element[0] -like "User") {$Result.User = $Element[1].Trim(" ")} If ($Element[0] -like "Remote Desktop*") {$Result.Message = $Element[1].Trim(" ")} If ($Element[0] -like "Source Network Address*") {$Result.NetworkAddr = $Element[1].Trim(" ")} } $Result } $Results | Select Message,User,TimeCreated,NetworkAddr | Format-Table -Wrap -AutoSize } } |