更新时间:2023-12-04 16:39:22
您可以从事件日志中获取以下信息:
You can get this infromation from the event log:
Get-EventLog System -Source Microsoft-Windows-Winlogon
登录的InstanceId为7001,注销的为7002.用户帐户是ReplacementStrings中的SID.
Logons have an InstanceId of 7001, logoffs have 7002. The user account is a SID in ReplacementStrings.
这是一些对您有用的代码.
Here is some more useful code for you.
$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty
您还可以通过将"-ComputerName"参数添加到Get-EventLog来从远程计算机获取这些事件.
You can also get these events from a remote computer by adding the "-ComputerName" parameter to Get-EventLog.