This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

[PowerShell] Get the last user activities from Directory Insights

shawnsong
Rising Star III
Rising Star III

‎12-09-2022 12:54 AM - edited ‎01-09-2024 08:50 PM

I heard from a lot of our customers are asking for this - like the good old days we were tracking the "last logon event" 😉 

Here is my take - leverage on the event goldmine Directory Insights (the user & admin events) via the JC pwsh module of course.  

The Use Case

  • Get the last user activities for all and generate a report in CSV format - for the past X number of days. 
  • Get an insight of the users who don't have activity (for the past 30 days i.e.) - especially in the context of the remote working culture as the new norm. 

 

Here is code

p.s. You need PowerShell version 7 to run this script. 

[Update: 28th Dec 2023] - Added the local username login activities when it has been taken over by the JC user. 

[Update: 10th Jan 2024] - Boosted the performance of the overall runtime. Requires the latest JC powershell module v2.9.1. 

Note: Please make sure you are using the latest JC Powershell module.

 


# Building the Report Object Container
$outputReport = @()

# Set the number of days you wanted to back track
$tracebackDays = 30

# Get all users with usernames only
$usernames = Get-JCUser -returnProperties username,systemUsername
foreach ($u in $usernames){ 
    $report = "" | select username,geoip,service,success,client_ip,timestamp,details,event_type,useragent,localUserName
    
    $reportUser = $u.username
    if ("" -ne $u.systemUsername){
      $reportUser = ($u.systemUsername).ToLower()

    }
    # Callin JC DI and back tracking the days defined above
    $loginEvent = Get-JcSdkEvent -Service:('all') -StartTime:((Get-date).AddDays(-$tracebackDays))`
      -SearchTermAnd @{"initiated_by.username" = $reportUser} -ErrorAction SilentlyContinue |`
      sort-object -Descending $_.timestamp -Bottom 1

    $report.username = $u.username
    $report.timestamp = "n.a."
    $report.details = "user has no activity for the past $tracebackDays days "
    $report.localUserName = $u.systemUsername

    
    if ($null -ne $loginEvent){
        $report.geoip = $loginEvent.geoip
        $report.service = $loginEvent.service
        $report.success = $loginEvent.success
        $report.client_ip = $loginEvent.client_ip
        $report.timestamp = $loginEvent.timestamp
        $report.details = $loginEvent.message
        $report.event_type = $loginEvent.event_type
        $report.useragent = $loginEvent.useragent
    }
    $outputReport += $report
}
$outputReport | export-csv lastUserActReport.csv

 

 

 

 

 

Labels:
1 REPLY 1

VigneswaraRao
Novitiate I

‎12-27-2023 03:48 AM

Thanks Shawn

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.