HR sometimes want to know the logon and logoff times of specific users. I have been trying to figure out how to use the Powershell Get-Eventlog command to query our DC Security Logs to find entries that are only for a specific User, and have Event IDs 4624 and 4634.
I can use Get-EventLog -ComputerName dc01-LogNameSecurity4624, 4634successfully to filter down the logons and logoffs. But, try as I might, I have not been able to find a way of filtering the logs so that they are events for a specific user. And then if I would have to try and do the filtering together.
And then I suspect that the non-IT people would not understand that there are several types of logon events that don't necessarily mean an interactive logon, so I have tried to filter events for interactive logons, going on the basis that the event Message would contain the String "Logon Type: 2" (or slight variations).
I'm sure it's possible, but I think it has defeated me.
If anyone can provide me with a script that gets the Interactive Logon events and Logoff Events of a specific User I would very much appreciate it.