Powershell script Audit Remote Desktop users logon

Question

I found a script that logs all users of RDS servers which works great;

Link here

However I want to make it specific for 1 user, not all users.

I really don't know powershell so need some help.

Param(
[array]$ServersToQuery = (hostname),
[datetime]$StartTime = "January 1, 1970"

)

foreach ($Server in $ServersToQuery) {

    $LogFilter = @{
        LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        ID = 21, 23, 24, 25
         StartTime = (get-date).adddays(-7)
        }

    $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

    $AllEntries | Foreach { 
        $entry = [xml]$_.ToXml()
        [array]$Output += New-Object PSObject -Property @{
            TimeCreated = $_.TimeCreated
            User = $entry.Event.UserData.EventXML.User
            IPAddress = $entry.Event.UserData.EventXML.Address
            EventID = $entry.Event.System.EventID
            ServerName = $Server
            }        
        } 

}

$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
            if ($_.EventID -eq '21'){"logon"}
            if ($_.EventID -eq '22'){"Shell start"}
            if ($_.EventID -eq '23'){"logoff"}
            if ($_.EventID -eq '24'){"disconnected"}
            if ($_.EventID -eq '25'){"reconnection"}
            }
        }

$Date = (Get-Date -Format s) -replace ":", "."
$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"
$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

Write-host "Writing File: $FilePath" -ForegroundColor Cyan Write-host "Done!" -ForegroundColor Cyan

Answer 1

So, you say …

(I really don't know powershell so need some help.)

..., but point to a very advanced PowerShell script you want to use.

It is vital that you do not use anyone's code that you do not fully understand what it is doing from anyone. You could seriously damage / compromise your system(s) and or you entire enterprise. Please ramp up to protect yourself, your enterprise and avoid unnecessary confusion, complications, issues, errors and frustration you are going to encounter:

Follow this link

As for your query...

However I want to make it specific for 1 user, not all users.

… Though the script returns all users, you can just filter / prompt for the one user you are after, without changing anything about the authors code.

Prompt for a user by adding an additional parameter in that param block

[string]$targetUser = (Read-Host -Prompt 'Enter a username')

In that $FilteredOutput section, is where you'd use the additional $targetUser parameter, using the Where-Object cmdlet or string matching there or in the ….

$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

… section. Something like...

($FilteredOutput -match $TargetUser) | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

I do not have an environment to test this, so, I'll leave that up to you.

$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation This is all basic PowerShell 'using parameters' use case, and covered in all beginning PowerShell courses, books, websites, and built-in PowerShell help files.