$user_name = read-host "имя пользователя"
$start = read-host "дней назад"
[datetime]$StartTime = (Get-date).adddays(-$start)
$xls = Join-Path $env:USERPROFILE\Desktop "output.xlsx"
$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP.csv"
$LogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
StartTime = $StartTime
}
$AllEntries = Get-WinEvent -FilterHashtable $LogFilter
$AllEntries | Foreach {
$entry = [xml]$_.ToXml()
if ($entry.Event.UserData.EventXML.User -like "DOMAIN\$user_name")
{
[array]$Output += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $entry.Event.UserData.EventXML.User
IPAddress = $entry.Event.UserData.EventXML.Address
EventID = $entry.Event.System.EventID
}
}
}
$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"Вход"}
if ($_.EventID -eq '22'){"Запуск"}
if ($_.EventID -eq '23'){"Выход"}
if ($_.EventID -eq '24'){"Отключение"}
if ($_.EventID -eq '25'){"Подключение"}
}
}
$excel = New-Object -ComObject excel.application
$workbook = $excel.workbooks.add()
$sheet = $workBook.worksheets.Item(1)
$i = 1
foreach($row in $FilteredOutput | Sort TimeCreated -Descending)
{
$excel.cells.item($i,1) = $row.TimeCreated
$excel.cells.item($i,2) = $row.User
$excel.cells.item($i,3) = $row.IPAddress
$excel.cells.item($i,4) = $row.Action
$i++
}
$range = $sheet.UsedRange
[void] $range.EntireColumn.Autofit()
$excel.visible = $true
$workbook.SaveAs($xls, 51)
$workbook.Close()
$excel.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($excel)