jessikitty/AD-ComputerLastLogon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace IPAddress column with DNSName (FQDN)

Browse Source
This commit is contained in:
jessikitty
2026-02-02 10:47:17 +11:00
parent 6cb5bd6c96
commit 2aece2fab7
1 changed files with 33 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
Get-UserLastLogonComputer.ps1
View File

@@ -6,7 +6,7 @@
.DESCRIPTION .DESCRIPTION
Queries Domain Controller security event logs for logon events (4624) Queries Domain Controller security event logs for logon events (4624)
to determine which computer each user last authenticated from. to determine which computer each user last authenticated from.
Resolves IP addresses to computer names and looks up user display names. Resolves IP addresses to DNS names and looks up user display names.
.PARAMETER OutputPath .PARAMETER OutputPath
Path for the output CSV file. Defaults to current directory. Path for the output CSV file. Defaults to current directory.
@@ -64,38 +64,42 @@ Write-Host ""
$StartDate = (Get-Date).AddDays(-$DaysBack) $StartDate = (Get-Date).AddDays(-$DaysBack)
# Cache for IP to hostname resolution # Cache for IP to DNS name resolution
$IPCache = @{} $DNSCache = @{}
# Cache for user display names # Cache for user display names
$UserCache = @{} $UserCache = @{}
function Resolve-IPToHostname { function Resolve-IPToDNSName {
param([string]$IP) param([string]$IP)
if ([string]::IsNullOrWhiteSpace($IP) -or $IP -eq '-' -or $IP -eq '::1' -or $IP -eq '127.0.0.1') { if ([string]::IsNullOrWhiteSpace($IP) -or $IP -eq '-' -or $IP -eq '::1' -or $IP -eq '127.0.0.1') {
return $null return @{ Short = $null; FQDN = $null }
} }
if ($IPCache.ContainsKey($IP)) { if ($DNSCache.ContainsKey($IP)) {
return $IPCache[$IP] return $DNSCache[$IP]
} }
try { try {
$hostname = [System.Net.Dns]::GetHostEntry($IP).HostName # DNS reverse lookup returns FQDN
$computerName = ($hostname -split '\.')[0].ToUpper() $fqdn = [System.Net.Dns]::GetHostEntry($IP).HostName
$IPCache[$IP] = $computerName $shortName = ($fqdn -split '\.')[0].ToUpper()
return $computerName $result = @{ Short = $shortName; FQDN = $fqdn.ToLower() }
$DNSCache[$IP] = $result
return $result
} catch { } catch {
try { try {
$computer = Get-ADComputer -Filter "IPv4Address -eq '$IP'" -Properties Name -ErrorAction SilentlyContinue $computer = Get-ADComputer -Filter "IPv4Address -eq '$IP'" -Properties DNSHostName, Name -ErrorAction SilentlyContinue
if ($computer) { if ($computer) {
$IPCache[$IP] = $computer.Name $result = @{ Short = $computer.Name; FQDN = if ($computer.DNSHostName) { $computer.DNSHostName.ToLower() } else { '' } }
return $computer.Name $DNSCache[$IP] = $result
return $result
} }
} catch {} } catch {}
$IPCache[$IP] = $null $result = @{ Short = $null; FQDN = $null }
return $null $DNSCache[$IP] = $result
return $result
} }
} }
@@ -161,17 +165,20 @@ try {
if ($Domain -in @('Window Manager', 'Font Driver Host', 'NT AUTHORITY')) { continue } if ($Domain -in @('Window Manager', 'Font Driver Host', 'NT AUTHORITY')) { continue }
if ([string]::IsNullOrWhiteSpace($Username)) { continue } if ([string]::IsNullOrWhiteSpace($Username)) { continue }
# Determine computer name # Determine computer name and DNS name
$Computer = $null $Computer = $null
if (-not [string]::IsNullOrWhiteSpace($Workstation) -and $Workstation -ne '-') { $DNSName = ''
$Computer = $Workstation.ToUpper()
} elseif (-not $SkipIPResolve -and -not [string]::IsNullOrWhiteSpace($IPAddress)) { if (-not $SkipIPResolve -and -not [string]::IsNullOrWhiteSpace($IPAddress) -and $IPAddress -ne '-') {
$Computer = Resolve-IPToHostname -IP $IPAddress $resolved = Resolve-IPToDNSName -IP $IPAddress
if ($resolved.Short) { $Computer = $resolved.Short }
if ($resolved.FQDN) { $DNSName = $resolved.FQDN }
} }
# Fall back to WorkstationName if IP didn't resolve
if ([string]::IsNullOrWhiteSpace($Computer)) { if ([string]::IsNullOrWhiteSpace($Computer)) {
if (-not [string]::IsNullOrWhiteSpace($IPAddress) -and $IPAddress -ne '-') { if (-not [string]::IsNullOrWhiteSpace($Workstation) -and $Workstation -ne '-') {
$Computer = "[$IPAddress]" $Computer = $Workstation.ToUpper()
} else { } else {
$Computer = "Unknown" $Computer = "Unknown"
} }
@@ -187,7 +194,7 @@ try {
Username = $Username Username = $Username
DisplayName = '' # Will populate after DisplayName = '' # Will populate after
Computer = $Computer Computer = $Computer
IPAddress = if ($IPAddress -and $IPAddress -ne '-') { $IPAddress } else { '' } DNSName = $DNSName
LogonTime = $LogonTime LogonTime = $LogonTime
LogonType = switch ($LogonType) { LogonType = switch ($LogonType) {
2 { "Interactive" } 2 { "Interactive" }
@@ -217,7 +224,7 @@ try {
} }
# Export to CSV # Export to CSV
$Results | Select-Object Domain, Username, DisplayName, Computer, IPAddress, LogonTime, LogonType | $Results | Select-Object Domain, Username, DisplayName, Computer, DNSName, LogonTime, LogonType |
Export-Csv -Path $CsvFile -NoTypeInformation -Encoding UTF8 Export-Csv -Path $CsvFile -NoTypeInformation -Encoding UTF8
Write-Host "`n===== Results =====" -ForegroundColor Green Write-Host "`n===== Results =====" -ForegroundColor Green
@@ -226,7 +233,7 @@ try {
Write-Host "" Write-Host ""
# Display summary table # Display summary table
$Results | Format-Table Domain, Username, DisplayName, Computer, LogonTime, LogonType -AutoSize $Results | Format-Table Domain, Username, DisplayName, Computer, DNSName, LogonTime, LogonType -AutoSize
} catch [System.Exception] { } catch [System.Exception] {
if ($_.Exception.Message -match "No events were found") { if ($_.Exception.Message -match "No events were found") {