# FindUser.ps1 # PowerShell script to parse a comma delimited log file created by logon # and logoff scripts to determine which computer a user is logged into. # # Copyright (c) 2018 Richard L. Mueller # Version 1.0 - June 29, 2018 # # ---------------------------------------------------------------------- # You have a royalty-free right to use, modify, reproduce, and # distribute this script file in any way you find useful, provided that # you agree that the copyright owner above has no warranty, obligations, # or liability for such use. # Specify log file created by logon and logoff scripts. $LogFile = "\\Server\Share\Users.log" $Header = "Event","Date","Time","ComputerName","UserName" # Read the log file $Logons = Import-Csv -Path $LogFile -Header $Header # Check for user name on command line. Switch ($Args.Count) { 0 { # Prompt for user name. $User = Read-Host "Enter user logon name (sAMAccountName)" } 1 { # One parameter on the command line, the user logon name. $User = $Args[0] } Default { Write-Host "Error - too many parameters" ` -ForegroundColor red -BackgroundColor black # Abort the script. Exit } } # Hash table of user logons. The key will be the ComputerName. The value # will be the logon datetime. Only logons are maintained in the hash table. # When the corresponding logoff event is detected in the log file, # the logon information is deleted from the hash table. $Computers = @{} # Parse the log file. ForEach ($Logon In $Logons) { # Find entries for the user. # Entries will be in chronological order (oldest first). # Retain logons where the user has not yet logged off. If ($Logon.UserName -eq $User) { $Event = $Logon.Event.Trim() $Day = $Logon.Date.Trim() $Time = $Logon.Time.Trim() $Date = "$Day $Time" $Computer = $Logon.ComputerName.Trim() Switch ($Event) { "Logon" { # Check if the user was previously logged onto # this computer and did not logoff. If ($Computers.ContainsKey($Computer)) { # Logoff event missing for previous logon event. # Computer may have crashed or the user logged off when # the log file was unavailable or could not be reached. # Remove previous logon from the hash table. # Otherwise, we will have a duplicate. $Computers.Remove($Computer) } # Add this logon to the hash table. $Computers.Add($Computer, $Date) } "Logoff" { # Check for previous Logon event. If ($Computers.ContainsKey($Computer)) { # Remove the logon from the hash table. $Computers.Remove($Computer) } Else { # No previous logon event for this user on this computer. # Ignore this logoff. } } Default { # Event must be either "Logon" or "Logoff". # Ignore this event, but alert the user. Write-Host "Entry in log file not recognized:" ` -ForegroundColor red -BackgroundColor black Write-Host "$Event,$Day,$Time,$Computer,$User" } } } } # Check if the user is logged on anywhere. If ($Computers.Count -eq 0) { Write-Host "User " -NoNewLine Write-Host "$User" ` -ForegroundColor yellow -BackgroundColor black -NoNewLine Write-Host " not currently logged in" # Abort the script. Exit } # Output all computers where the user is logged on. ForEach ($Computer In $Computers.Keys) { $Date = $Computers[$Computer] Write-Host "User " -NoNewLine Write-Host "$User" ` -ForegroundColor green -BackgroundColor black -NoNewLine Write-Host " Logged in at Computer: " -NoNewline Write-Host $Computer -ForegroundColor green -BackgroundColor black Write-Host " Logon Time: $Date" }