Detect user-user using powershell

Question

Detect user-user using powershell

I want to register the date and time of each user time switch that is called on the machine. How can i do this? Something similar to this, but the "switch user" event: detecting input and output using powershell

Thank you in advance

+4

powershell

Artur carvalho Mar 03 '11 at 21:20

source share

1 answer

JPBlanc · Accepted Answer · 2011-03-18T09:11:21+0000

I think you are looking for this:

Event ID 4778 : A user has logged by selecting Switch user command (Fast User Switching).
Event ID 4779 : A user has logged back on using Switch user command (Fast User Switching).

But these events are displayed in the Security event log only if you configure "audit consolidation events" in the audit stratum.

enter image description here

Sorry for the French screen, but I think it's better than nothing.

" ", 4778 4779, - :

enter image description here

, powerShell , , :

clear-Host
$UserProperty = @{n="User";e={$_.ReplacementStrings[0]}}
$TypeProperty = @{n="Action";e={switch($_.EventID) {4778 {"SwitchOn"} 4779{"SwitchOff"}}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog -LogName Security -Source Microsoft-Windows-security-auditing | where {$_.EventID -eq 4778 -or $_.EventID -eq 4779} | select $UserProperty,$TypeProperty,$TimeProeprty

, .

JP

PS: " " .

Detect user-user using powershell

More articles: