9/02/2008

Get User's last successful and failed logon

The following VBScript will show the last successful and the last failed logon of the current user. Depending of the OS Version the event id's from eventvwr has to be customized.


Dim objNetwork : Set objNetwork = CreateObject("WScript.Network")
strComputer = "."
Dim EventTime, strUsername
strLogonSuccess = "528"
strLogonError = "529"
Set objWMIService = GetObject("winmgmts:" & "{(Security)}!\\" & strComputer & "\root\cimv2")
 
'Determine the last successful logon process
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and EventCode = '" &strLogonSuccess &"'")
For Each objEvent in colLoggedEvents
 If Not IsNull(objEvent.User) And objEvent.User = objNetwork.UserDomain &"\" &objNetwork.UserName Then
  If cint(objEvent.Eventcode) = cint(strLogonSuccess) Then
   Call ConvertTime(objEvent.TimeWritten)
   Wscript.Echo "The last successful Logon from " &objEvent.User &" was at " &EventTime
   Exit For
  End If
 End If
Next
 
'Determine the last failed logon process
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and EventCode = '" &strLogonError &"'")
For Each objEvent in colLoggedEvents
 'Convert username out of the eventvwr message
 Call GetUsername(objEvent.Message)
 
 'Check if username from event matches local logged in user
 If lcase(cstr(strUsername)) = lcase(cstr(objNetwork.UserName)) Then
  If cint(objEvent.Eventcode) = cint(strLogonError) Then
   Call ConvertTime(objEvent.TimeWritten)
   Wscript.Echo "The last failed Logon from " &strUsername &" was at " &EventTime
   Exit For
  End If
 End If
Next
 
Function ConvertTime(datetime)
EventTime = Mid(datetime, 5, 2) & "/" & Mid(datetime, 7, 2) & "/" & _
    Mid(datetime, 1, 4) & " " & Mid(datetime, 9, 2) & ":" & _
    Mid(datetime, 11, 2) & "." & Mid(datetime, 13, 2)
End Function
 
Function GetUsername(strMessage)
 strStart = InStr(strMessage,"User Name:") + 10
 strEnd = InStr(strMessage,"Domain:")
 strLen = strEnd - strStart
 
 strUsername = Replace(Replace(Replace(Replace(Mid(strMessage,strStart,strLen)," ",""),vbTab, ""),VbCrLf,""), vbNewLine,"")
End Function
Gepostet von unter

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)