Thursday, August 6, 2015

Connection Report for Remote Desktop

I came across this Powershell script, I haven't done any modifications, but I wanted to add this to my collection, since I tend to forget where I found information/scripts.

This has been writen by Mike Crowley, link to his blog: https://mikecrowley.wordpress.com

Link to his blog post: https://mikecrowley.wordpress.com/2015/04/08/a-new-and-an-updated-powershell-script/

UPDATE 10th August 2015:
I noticed that if I run the script more than once, it makes multiple entries. I added Remove-Variable command to the beginning to make sure that results are correct.

The script:

<#

Features:
    1) This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV.

Instructions:
    1) Before you run, edit this line to include one or several of your own servers.
    
Requirements:
    1) TBD
    
April 8 2015 - Version 0.2
Mike Crowley
http://BaselineTechnologies.com
#>

#Clear output variables to avoid multiple entries
#Added by Miikka Kallberg 10th August 2015

 if ( $FilteredOutput) {
Remove-Variable FilteredOutput}

 if ( $Output) {
Remove-Variable Output}

#

$SessionHosts = @('Server2', 'Server3', 'Server4', 'Server5')

foreach ($Server in $SessionHosts) {

    $LogFilter = @{
        LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        ID = 21, 23, 24, 25
        }

    $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

    $AllEntries | Foreach { 
           $entry = [xml]$_.ToXml()
        [array]$Output += New-Object PSObject -Property @{
            TimeCreated = $_.TimeCreated
            User = $entry.Event.UserData.EventXML.User
            IPAddress = $entry.Event.UserData.EventXML.Address
            EventID = $entry.Event.System.EventID
            ServerName = $Server
            }        
           } 

}

$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
            if ($_.EventID -eq '21'){"logon"}
            if ($_.EventID -eq '22'){"Shell start"}
            if ($_.EventID -eq '23'){"logoff"}
            if ($_.EventID -eq '24'){"disconnected"}
            if ($_.EventID -eq '25'){"reconnection"}
            }
        }

$Date = (Get-Date -Format s) -replace ":", "."
$FilteredOutput | Sort TimeCreated | Export-Csv $env:USERPROFILE\Desktop\$Date`_RDP_Report.csv -NoTypeInformation


#End

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)