Powershell help to eliminate account name with $
Hi
I run a powershell script to get the frequently logged in user by creating a text file in C drive and then create a CIR rule to pull the user name in inventory so that we can
track the frequently logged in user and also know that he/she is the owner..
I need help on this script as im not good in scripting
$computer = ""
$eventLogs = Get-WinEvent -ComputerName $computer -filterHashTable @{Logname='Security';Id=4624;data=''} -MaxEvents 50
$users = @()
foreach($event in $eventLogs){
$eventXML = [xml]$event.toXML()
#$eventXML.Event.EventData.Data
$users += $eventXML.Event.EventData.Data[5].'#text' | Where-Object {$_ -ne 'SYSTEM' -and $_ -ne "$($computer)$"}
}
$mostFrequentUser = ($users -ne "$"| Group-Object | Sort-Object Count -Descending | Select-Object -First 1).Name
Write-Host $mostFrequentUser
above script sometime generates Account Name with $ sign TEST-2008$ .. how can i Skip the account names that have $
if account name/machine with $ sign is eliminated , i can get the owner of the machine
2 Comments
[ + ] Show comments
Answers (1)
Answer Summary:
Please log in to answer
Posted by:
flip1001
7 years ago
Top Answer
I made some changes which I plan to use on my computers.
$computer = "$env:computername"
#$eventLogs = Get-WinEvent -ComputerName $computer -filterHashTable @{Logname='Security';Id=4624;data=''} -MaxEvents 50# Look for security logon events from last 24 hours
# http://rakhesh.com/powershell/using-get-winevent-to-look-at-windows-event-logs/
$eventLogs = Get-WinEvent -ComputerName $computer -filterHashTable @{Logname='Security';Id=4624;data='';StartTime=(get-date).AddHours(-24)}$users = @()
foreach($event in $eventLogs){ $eventXML = [xml]$event.toXML()
#$eventXML.Event.EventData.Data
$users += $eventXML.Event.EventData.Data[5].'#text' | Where-Object {$_ -ne 'SYSTEM' -and $_ -notmatch "$computer"}}#$eventLogs = Get-WinEvent -ComputerName $computer -filterHashTable @{Logname='Security';Id=4624;data=''} -MaxEvents 500#$eventLogs = Get-WinEvent -ComputerName $computer -filterHashTable @{Logname='Security';Id=4624;data=''} -MaxEvents 501
Comments:
-
I apologize for the formatting, but I'm posting from a MAC computer and the markup pasted improperly somehow. - flip1001 7 years ago
-
These should be the last 2 lines, the forum won't let me edit.
$mostFrequentUser = ($users -notmatch "\$" | Group-Object | Sort-Object Count -Descending | Select-Object -First 1).Name
Write-Host $mostFrequentUser - flip1001 7 years ago-
Wonderfeul!!!!!! perfect thanks a lot for your help - rahimpal 7 years ago
-
is it possible to run this script under Managed install rather than in Scripting, because scripting may fail sometimes..if MI we can give retries? - rahimpal 7 years ago
-
"powershell.exe -nologo -Executionpolicy Bypass -WindowStyle hidden -noprofile -file MOSTfrquserKCN.ps1" when i run this in Managed install..i could still see command propmt running this script for a sec..how can i make this run in the background
Override Default Installation
Full Command Line:
"powershell.exe -nologo -Executionpolicy Bypass -WindowStyle hidden -noprofile -file MOSTfrquserKCN.ps1" - rahimpal 7 years ago -
Set the script as a KScript set to run daily. - flip1001 7 years ago
-
Hi flip1001
i want to exclude these in notmatch part
ANONYMOUS LOGON
LOCAL SERVICE
i checked for -notmatch syntax couldnt find much info
i want to exclude ANONYMOUS LOGON
LOCAL SERVICE in $Users
$mostFrequentUser = ($users -notmatch "\$" | Group-Object | Sort-Object Count -Descending | - rahimpal 7 years ago
-
how do i add last 60 days in the script..i want to get search the event ids that created in last 60 days only - rahimpal 7 years ago
thanks for your help, Im running it as Managed install because ..its success rate more than Kscripts...how can i make sure command prompt doesnt popup...it pop ups for second..i dont want users to see this - rahimpal 7 years ago