{"id":208398,"date":"2024-01-19T14:45:25","date_gmt":"2024-01-19T14:45:25","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/comment-voir-l-historique-des-connexions-d-un-utilisateur-avec-powershell\/"},"modified":"2024-03-04T19:23:23","modified_gmt":"2024-03-04T19:23:23","slug":"comment-voir-l-historique-des-connexions-d-un-utilisateur-avec-powershell","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/comment-voir-l-historique-des-connexions-d-un-utilisateur-avec-powershell\/","title":{"rendered":"Comment voir l&rsquo;historique des connexions d&rsquo;un utilisateur avec PowerShell"},"content":{"rendered":"<p>Les scripts PowerShell jouent un r\u00f4le inestimable dans les op\u00e9rations et la s\u00e9curit\u00e9 informatiques, en automatisant des t\u00e2ches et en extrayant des informations vitales \u00e0 des fins d&rsquo;analyse. Aujourd&rsquo;hui, nous allons nous pencher sur un script qui vous permet <strong>d&rsquo;afficher l&rsquo;historique des connexions des utilisateurs,<\/strong> une fonction importante pour l&rsquo;audit et le contr\u00f4le de l&rsquo;acc\u00e8s au syst\u00e8me.<\/p>\n<h2>Contexte<\/h2>\n<p>Les journaux d&rsquo;acc\u00e8s sont une mine d&rsquo;or pour les professionnels de l&rsquo;informatique. Ils permettent de surveiller l&rsquo;utilisation du syst\u00e8me, de d\u00e9tecter les acc\u00e8s non autoris\u00e9s et d&rsquo;assurer la responsabilit\u00e9. Le script fourni r\u00e9cup\u00e8re les \u00e9v\u00e9nements de d\u00e9marrage et d&rsquo;arr\u00eat de la session de l&rsquo;utilisateur, un ensemble de donn\u00e9es essentiel pour toute strat\u00e9gie de s\u00e9curit\u00e9 informatique solide. En excluant les comptes syst\u00e8me et en se concentrant uniquement sur les utilisateurs authentiques, il pr\u00e9sente un historique clair et concis des acc\u00e8s des utilisateurs, ce qui simplifie la vie des professionnels de l&rsquo;informatique et des fournisseurs de services g\u00e9r\u00e9s (MSP) et les rend plus efficaces.<\/p>\n<h2>Le script<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\">#Requires -Version 5.1\r\n\r\n&lt;#\r\n.SYNOPSIS\r\n    This will return user session start and stop events.\r\n.DESCRIPTION\r\n    This will return user session start and stop events. Excluding system accounts.\r\n.EXAMPLE\r\n    No params needed\r\n    Returns all login events for all users.\r\n.EXAMPLE\r\n     -UserName \"Fred\"\r\n    Returns all user login events of the user Fred.\r\n.EXAMPLE\r\n     -Days 7\r\n    Returns the last 7 days of login events for all users.\r\n.EXAMPLE\r\n     -Days 7 -UserName \"Fred\"\r\n    Returns the last 7 days of login events for the user Fred.\r\n.EXAMPLE\r\n    PS C:&gt; Get-User-Login-History.ps1 -Days 7 -UserName \"Fred\"\r\n    Returns the last 7 days of login events for the user Fred.\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n    Release Notes:\r\n    Initial Release\r\n.OUTPUTS\r\n    Time                  Event        User  ID\r\n    ----                  -----        ----  --\r\n    10\/7\/2021 3:51:48 PM  SessionStop  User1 4634\r\n    10\/7\/2021 3:51:48 PM  SessionStart User1 4624\r\n.COMPONENT\r\n    ManageUsers\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#&gt;\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    # Specify one user\r\n    [Parameter(Mandatory = $false)]\r\n    [String]\r\n    $UserName,\r\n    # How far back in days you want to search, this is in 24 hour increments from the time it executes\r\n    [Parameter(Mandatory = $false)]\r\n    [int]\r\n    $Days\r\n)\r\n\r\nbegin {\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))\r\n        { Write-Output $true }\r\n        else\r\n        { Write-Output $false }\r\n    }\r\n\r\n    # System accounts that we don't want\r\n    $SystemUsers = @(\r\n        \"SYSTEM\"\r\n        \"NETWORK SERVICE\"\r\n        \"LOCAL SERVICE\"\r\n    )\r\n    # Filter for only getting session start and stop events from Security event log\r\n    $FilterHashtable = @{\r\n        LogName = \"Security\";\r\n        id      = 4634, 4624\r\n    }\r\n    # If Days was specified then add this parameter\r\n    if ($Days) {\r\n        $FilterHashtable.Add(\"EndTime\", (Get-Date).AddDays(-$Days))\r\n    }\r\n    # Creating a hash table for parameter splatting\r\n    $Splat = @{\r\n        FilterHashtable = $FilterHashtable\r\n    }\r\n}\r\n\r\nprocess {\r\n    if (-not (Test-IsElevated)) {\r\n        Write-Error -Message \"Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n    # Get windows events, filter out everything but logins and logouts(Session starts and ends)\r\n    Get-WinEvent @Splat | ForEach-Object {\r\n        # UserName in the two event types are in different places in the Properties array\r\n        if ($_.Id -eq 4634) {\r\n            # Events with ID 4634 the user name is the second item in the array. Arrays start at 0 in PowerShell.\r\n            $User = $_.Properties[1].Value\r\n        }\r\n        else {\r\n            # Events with ID 4634 the user name is the sixth item in the array. Arrays start at 0 in PowerShell.\r\n            $User = $_.Properties[5].Value\r\n        }\r\n\r\n        # Filter out system accounts and computer logins(Active Directory related)\r\n        # DWM-0  = Desktop Window Manager\r\n        # UMFD-0 = User Mode Framework Driver\r\n        if ($SystemUsers -notcontains $User -and $User -notlike \"DWM-*\" -and $User -notlike \"UMFD-*\" -and $User -notlike \"*$\") {\r\n            # If the UserName parameter was specified then only return that user's events\r\n            if ($UserName -and $UserName -like $User) {\r\n                # Write out to StandardOutput\r\n                [PSCustomObject]@{\r\n                    Time  = $_.TimeCreated\r\n                    Event = if ($_.Id -eq 4634) { \"SessionStop\" } else { \"SessionStart\" }\r\n                    User  = $User\r\n                    ID    = $_.ID\r\n                }\r\n            } # If the UserName parameter was not specified return all users events\r\n            elseif (-not $UserName) {\r\n                # Write out to StandardOutput\r\n                [PSCustomObject]@{\r\n                    Time  = $_.TimeCreated\r\n                    Event = if ($_.Id -eq 4634) { \"SessionStop\" } else { \"SessionStart\" }\r\n                    User  = $User\r\n                    ID    = $_.ID\r\n                }\r\n            }\r\n        }\r\n        # Null $User just in case the next loop iteration doesn't set it, we can then see that the user name is missing\r\n        $User = $null\r\n    }\r\n}\r\n\r\nend {}\r\n<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"in-context-cta\"><p style=\"text-align: center;\">Acc\u00e9dez \u00e0 plus de 700 scripts dans le Dojo NinjaOne<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.ninjaone.com\/fr\/phase-de-test-gratuit\/\">Obtenez l&rsquo;acc\u00e8s<\/a><\/p>\n<\/div>\n<h2>Description d\u00e9taill\u00e9e<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">Le script commence par une s\u00e9rie de commentaires d\u00e9crivant son utilisation et le format de sortie.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">Il sp\u00e9cifie ensuite ses param\u00e8tres, permettant \u00e0 l&rsquo;utilisateur de filtrer les r\u00e9sultats par nom d&rsquo;utilisateur ou par un nombre sp\u00e9cifique de jours \u00e9coul\u00e9s.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\">Dans le bloc <strong>\u00ab\u00a0begin\u00a0\u00bb<\/strong>, le script d\u00e9finit ses exigences, notamment l&rsquo;omission des comptes syst\u00e8me et la sp\u00e9cification des identifiants d&rsquo;\u00e9v\u00e9nements pertinents du journal de s\u00e9curit\u00e9 Windows.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"4\" data-aria-level=\"1\">C&rsquo;est dans le bloc <strong>\u00ab\u00a0processus\u00a0\u00bb<\/strong> que la magie op\u00e8re. Tout d&rsquo;abord, il s&rsquo;assure que le script est ex\u00e9cut\u00e9 avec des droits d&rsquo;administrateur. Il r\u00e9cup\u00e8re ensuite les fen\u00eatres correspondant aux activit\u00e9s de connexion et de d\u00e9connexion, en filtrant les comptes syst\u00e8me ou non pertinents.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"4\" data-aria-level=\"1\">Pour chaque \u00e9v\u00e9nement, il d\u00e9termine le nom d&rsquo;utilisateur et s&rsquo;il s&rsquo;agit d&rsquo;une connexion (SessionStart) ou d&rsquo;une d\u00e9connexion (SessionStop).<\/li>\n<\/ul>\n<h2>Cas d&rsquo;utilisation potentiels<\/h2>\n<p>Prenons l&rsquo;exemple d&rsquo;un administrateur informatique nomm\u00e9 Alex. R\u00e9cemment, il y a eu des cas d&rsquo;acc\u00e8s non autoris\u00e9 \u00e0 des donn\u00e9es dans l&rsquo;entreprise. Alex d\u00e9cide de passer en revue l&rsquo;historique des connexions au cours de la semaine \u00e9coul\u00e9e. En utilisant ce script avec le param\u00e8tre <strong>-Days 7<\/strong>, Alex peut obtenir une liste compl\u00e8te de tous les \u00e9v\u00e9nements d&rsquo;acc\u00e8s des utilisateurs, ce qui l&rsquo;aide \u00e0 rep\u00e9rer toute activit\u00e9 suspecte.<\/p>\n<h2>Comparaisons<\/h2>\n<p>Bien qu&rsquo;il existe des outils et des plateformes d\u00e9di\u00e9s au suivi de l&rsquo;activit\u00e9 des utilisateurs, nombre d&rsquo;entre eux sont souvent associ\u00e9s \u00e0 des suites logicielles encombrantes ou ont un prix \u00e9lev\u00e9. Ce script PowerShell offre une alternative l\u00e9g\u00e8re, personnalisable et \u00e9conomique. De plus, d&rsquo;autres m\u00e9thodes peuvent n\u00e9cessiter des configurations \u00e9tendues, alors que ce script est pr\u00eat \u00e0 l&#8217;emploi et ne n\u00e9cessite qu&rsquo;une configuration minimale.<\/p>\n<h2>FAQ<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Est-il n\u00e9cessaire d&rsquo;ex\u00e9cuter le script avec des droits d&rsquo;administrateur ?<\/strong><br \/>\nOui, l&rsquo;acc\u00e8s aux journaux de s\u00e9curit\u00e9 n\u00e9cessite des autorisations \u00e9lev\u00e9es.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Puis-je r\u00e9cup\u00e9rer des journaux datant de plus d&rsquo;un mois ?<\/strong><br \/>\nOui, r\u00e9glez le param\u00e8tre <strong>-Days<\/strong> sur la valeur souhait\u00e9e.<\/li>\n<\/ul>\n<h2>Implications<\/h2>\n<p>Conna\u00eetre les sch\u00e9mas d&rsquo;acc\u00e8s des utilisateurs peut \u00eatre une arme \u00e0 double tranchant. Bien qu&rsquo;elles permettent aux professionnels de l&rsquo;informatique de maintenir l&rsquo;int\u00e9grit\u00e9 du syst\u00e8me, une mauvaise manipulation de ces informations pourrait enfreindre les directives en mati\u00e8re de protection de la vie priv\u00e9e. De plus, une surveillance persistante peut susciter des inqui\u00e9tudes quant \u00e0 la confiance sur le lieu de travail. Ainsi, si le script est un outil puissant, il est essentiel de l&rsquo;utiliser judicieusement, en respectant les normes \u00e9thiques et juridiques.<\/p>\n<h2>Recommandations<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">Assurez-vous toujours que vous utilisez la derni\u00e8re version de PowerShell pour des performances et une s\u00e9curit\u00e9 optimales.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">Documentez tous les cas o\u00f9 vous utilisez ce script \u00e0 des fins d&rsquo;audit.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">Sauvegardez r\u00e9guli\u00e8rement vos journaux pour \u00e9viter toute perte potentielle de donn\u00e9es.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>La gestion de l&rsquo;acc\u00e8s des utilisateurs est un aspect crucial de la s\u00e9curit\u00e9 informatique. Ce script PowerShell offre un moyen efficace de consulter l&rsquo;historique des connexions, ce qui permet de d\u00e9tecter les menaces et d&rsquo;y r\u00e9pondre rapidement. Bien que le script soit une solution autonome, son int\u00e9gration \u00e0 des plateformes telles que NinjaOne peut accro\u00eetre ses capacit\u00e9s et offrir une solution compl\u00e8te de gestion informatique.<\/p>\n<p>L&rsquo;utilisation de NinjaOne avec de tels scripts permet de consolider la journalisation, d&rsquo;am\u00e9liorer les m\u00e9canismes d&rsquo;alerte et de fournir un <a href=\"https:\/\/www.ninjaone.com\/fr\/blog\/logiciel-a-guichet-unique-explications\">tableau de bord unifi\u00e9 pour toutes les op\u00e9rations informatiques<\/a>, garantissant ainsi une infrastructure informatique performante, optimis\u00e9e et s\u00e9curis\u00e9e.<\/p>\n","protected":false},"author":35,"featured_media":143592,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"no","_lmt_disable":""},"operating_system":[4212],"use_cases":[4289],"class_list":["post-208398","script_hub","type-script_hub","status-publish","has-post-thumbnail","hentry","script_hub_category-windows","use_cases-gestion-des-utilisateurs-et-des-acces"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/script_hub\/208398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/comments?post=208398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/media\/143592"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/media?parent=208398"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/operating_system?post=208398"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/use_cases?post=208398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}