At times, it is necessary to find the IP address of a computer that logs onto a Domain Controller or another server. This may be required, for instance, if a user is getting constantly locked out after changing their password, and they cannot recall which computer is being used to access a service or application on their behalf.
Many IT administrators are unaware of where to find this crucial piece of information. A Google search may not yield a specific result that is easy to locate, so I'm here to share some tips with you.
Open Event Viewer,
Go to Applications and Services Logs - Microsoft - Windows - TerminalServices-RemoteConnectionManager - Operational
If you click on it, you will easily see this IP information.
Using PowerShell, it is possible to find both the user who is currently logged in and the IP address of their computer:
===START===
#=Find Currently Logged On User + IP=#
$CurrentUsers = quser
$CurrentUsers = $CurrentUsers[1..$CurrentUsers.Length] | % {$_.trim().Split(" ")[0].Replace(">", "")}
$Events = Get-WinEvent -FilterHashtable @{
Logname = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
ID = 1149
StartTime = (Get-Date).AddDays(-31)
}
$EventObjects = @()
$Events | % {
$EventXML = [xml]$_.ToXml()
$obj = New-Object -TypeName PSObject -Property @{
Username = $EventXML.Event.UserData.EventXML.Param1
IP = $EventXML.Event.UserData.EventXML.Param3
Timestamp = [datetime]$EventXML.Event.System.TimeCreated.SystemTime
}
$EventObjects += $obj
}
$CurrentSessions = $CurrentUsers | ForEach-Object {
$EventObjects | Sort-Object -Property Timestamp -Descending | Where-Object Username -eq $_ | Select-Object -First 1
}
$CurrentSessions | Select-Object Username, IP, Timestamp====END====
Комментариев нет:
Отправить комментарий