The following is my attempt to discover the workstations in a domain and find out which user was the last person on that workstation. My trouble is getting the userID from the line which has "Account Name: ". I saw some posting using Regex which looks like hieroglyphics to me. Anyway, any suggestions to advance this would be appreciated.
#get non-server class computers from domain
$wks=Get-ADComputer-Filter { OperatingSystem-NotLike'*Server*' } -PropertiesOperatingSystem
#Create an array to stick the results
$info =@()
foreach ($pcin$wks) {
$pcname
=$pc.name
$lastuserevent
=get-winevent-FilterHashtable @{LogName="security"; ID=4624} -computername$pcname|select-first1
$lastuser=$lastuserevent.message|select-string -pattern "Account Name:" -Context 1,1
$info+=$pcname,$lastuser
} $info|Export-CSV "c:\scripts\PC2UserAssociation.csv" -NoTypeInformation When I look into what is contained in $lastuserevent.message, I see the following:
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-21-1274253652-4404135117-2032146204-25962
Account Name: UserX
Account Domain: DomainX
Logon ID: 0x4f45786
Logon GUID: {C89819D6-A100-1C04-6AF5-0BD956666D39}
I need to pick out UserX from $lastuserevent.message. Any suggestions how?