CODEWITHSUNDEEP
powershell
AJ26
AJ26

Reputation: 501

retrieve computer names admin account logged on through AD

How would retrieve computer names and their IP addresses in Active Directory which are logged into by an admin account?

I can retrieve local admin accounts with my script below:

function get-localadministrators {
param ([string]$computername=$env:computername)

$computername = $computername.toupper()
$ADMINS = get-wmiobject -computername $computername -query "select * from win32_groupuser where GroupComponent=""Win32_Group.Domain='$computername',Name='administrators'""" | % {$_.partcomponent}

foreach ($ADMIN in $ADMINS) {
            $admin = $admin.replace("$computernamerootcimv2:Win32_UserAccount.Domain=","") # trims the results for a user
            $admin = $admin.replace("$computernamerootcimv2:Win32_Group.Domain=","") # trims the results for a group
            $admin = $admin.replace('",Name="',"")
            $admin = $admin.REPLACE("""","")#strips the last "

            $objOutput = New-Object PSObject -Property @{
                Machinename = $computername
                Fullname = ($admin)
                DomainName  =$admin.split("")[0]
                UserName = $admin.split("")[1]
            }#end object

$objreport+=@($objoutput)
}#end for

return $objreport
}#end function

but what I want is to return all instances of Administrator logged on to Computers. Is this possible or is there anything that would return similar results?

Upvotes: 0

Views: 338

Answers (1)

Snak3d0c
Snak3d0c

Reputation: 626

You are not going to be able to do this with AD alone. How many computers are we talking here? Nevertheless, i would make use of the eventlog. Each logon-event is stored and has the SID of the user that logs on (or triggers the event). Event 7001 (logon) is what you are looking for.

You could retrieve these events in een XML format. This XML contains the SID of the user that has triggered the event. You can either use a .NET translation function to convert it into a SamAccountName OR you can just retrieve all SID's from AD and compare them that way (so maybe make use of a hasbtable).

I have written a script some time ago that uses a lot of these techniques. It was meant to see when a user has logged on and off AND locked and unlocked their computer. You can find a blog-post about it here:

https://cookiecrumbles.github.io/GetLogonEventViewer/

That blogpost also references the github where you can find the script i made.

With some tweaking, you could make it into a tool that you need.

Upvotes: 1

Related Questions