Get DC logon events

Tue Jul 28 2020
powershellactivedirectorywindows
$DCs = Get-ADDomainController -Filter *
$StartDate = (Get-Date).AddDays(-1)

$CalculatedProperties = @{
  LogonType = @{N = 'LogonType'; E = { $_.ReplacementStrings[8] } }
  User      = @{N = 'User'; E = { $_.ReplacementStrings[5] } }
  Hostname  = @{N = 'Hostname'; E = { $_.ReplacementStrings[11] } }
}
$LogonEventsProperties = 'EventID', `
  'TimeGenerated', `
  $CalculatedProperties.LogonType, `
  $CalculatedProperties.User, `
  $CalculatedProperties.Hostname

$LogOnEvents = @()
foreach ($DC in $DCs) {
  $LogOnEvents += Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | `
      Where-Object { $_.eventID -eq 4624 }
}
$LogOnEvents | `
    Select-Object $LogonEventsProperties | `
    Where-Object { $_.Hostname -ne '-' -and $_.User -notlike '*$' } | `
    Out-GridView