Powershell Query AD secuirty logs for all logins for a single user

TJCooper 1 Reputation point
2022-11-05T12:21:58.247+00:00

I would have have thought this would be easy to find, but its not. I need to query the Security Log (DC) for all logins for a specific user. I have used a custom view in Event Viewer, but the output is not that great. Can someone point me in the right direction?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,062 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 32,156 Reputation points Microsoft Vendor
    2022-11-07T03:45:21.57+00:00

    Hi @TJCooper ,

    You can try filtering on the event id 4624 in the security log of the DC. Say you want to query the logon events for the user TestUser from UTC 2022-11-07 08:00:00 to 12:00:00, it can be something like this

    $begin = '2022-11-07T08:00:00.000Z'  
    $end = '2022-11-07T12:00:00.000Z'  
    $user = 'TestUser'  
    $XPath = "*[System[(EventID=4624) and TimeCreated[@SystemTime>='$begin' and @SystemTime<='$end']]] and *[EventData[Data[@Name='TargetUserName'] and Data='$user']]"  
    Get-WinEvent -LogName Security -FilterXPath $XPath  
    

    Hope this helps.

    Best Regards,
    Ian Xue

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments