{"id":3435,"date":"2013-06-08T00:01:00","date_gmt":"2013-06-08T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/06\/08\/weekend-scripter-use-powershell-to-generate-a-recent-profile-report\/"},"modified":"2013-06-08T00:01:00","modified_gmt":"2013-06-08T00:01:00","slug":"weekend-scripter-use-powershell-to-generate-a-recent-profile-report","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-generate-a-recent-profile-report\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Generate a Recent Profile Report"},"content":{"rendered":"

Summary<\/strong>: Guest blogger, Bob Stevens, talks about using Windows PowerShell to generate a recent profile report.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Today I am pleased to welcome back guest blogger, Bob Stevens. Be sure you check out Bob’s other guest blog posts<\/a>. Bob is a member of the Twin Cities PowerShell User Group. Here is his contact information:<\/p>\n

Blog: Help! I’m Stuck in My PowerShell!<\/a>
Twitter: @B_stevens6<\/a>
LinkedIn: Robert Stevens<\/a>\nTake it away, Bob…\nRecently the IT security officer in my organization asked me if there was a way to determine which profiles on a local machine have been accessed in the last 30 days. As many of you know, in Windows XP, Windows 2000, and Windows 2003, profiles are located natively in C:Documents and Settings<\/strong>. Since Windows Vista, they are located in C:Users<\/strong>.<\/strong>\nThe movement of user profiles from the “Documents and Settings” folder to the “Users” folders complicates things if you want to avoid changing the code on a case-by-case basis. So we are going to discern between the two by using a pair of “IF” statements. If statements are always followed by two things: the condition and the action. Conditions are encapsulated in parathenses () and actions are encapsulated in braces{}. <\/span><\/p>\n

IF (this is true) {do this} <\/span>\nInside the condition, we are going to use the WMI object “Win32_OperatingSystem.” This is accomplished by using the Get-WmiObject<\/strong> cmdlet (“RTUR.NET”): <\/span><\/p>\n

IF (Get-WmiObject Win32_OperatingSystem) {} <\/span>\nBecause we want the version number, we need to furthur encapsulate the previous command, Get-WmiObject Win32_OperatingSystem<\/strong> in parathenses and append the Version <\/strong>property to it to specify exactly the property we want:<\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version) {}<\/span>\nDifferent Windows operating system have different version numbers, as seen on the MSDN site, <\/span>Operating System Version<\/a>. We only want to differentiate between version 5 and version 6 because Windows XP, Windows 2000, and Windows 2003 fall under version 5, and after Windows Vista, versions fall under version 6. So we use the <\/span>-like<\/strong> operator, followed by the version number encapsulated in double quotes.<\/span><\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “5”) {}\nAnd the last thing needed for our condition is a wildcard character. Without it, Windows PowerShell is only going to look for 5 and not anything beginning with a 5, which is what we want.<\/span><\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “5*”) {}<\/span>\nNow that the condition has been defined, it is time to fill in the action. To understand how the upcoming command works, one must understand what happens when a user logs on to a machine. All local and domain accounts have what is called a “local profile.” A local profile stores all of the relevant information specific to a user, such as the user’s settings, pictures, documents, temp folders. In essence it IS the user on the local machine. The only differences between a domain account and a local account is where the authentication takes place and how policies are applied and governed. Otherwise they are treated the same on a local machine.<\/span>\nWhen a user logs in, the file in the profile labeled ntuser.dat is loaded. This loads the Hkey_Current_User registry hive. This specific hive holds the entirety of the settings specific to the user, and it is loaded every time a profile is accessed. Because a folder (and thus its modified date) can be altered by anyone with Admin rights, looking at the modified date of the ntuser.dat file is a way to be reasonably certain that the profile has legitimately been accessed and loaded. As such, this makes an excellent starting point.\nWe start with the Get-Item<\/strong> cmdlet. Because ntuser.dat is a hidden file we have to use the –force<\/strong> switch or the Get-Item<\/strong> cmdlet will fail:<\/p>\n

Get-Item -force\n Directly following this, we need to tell Windows PowerShell what to get. Because we want to access all profiles, we are going to use a wildcard character (*), and nest it in the profile path in place of an actual profile name:<\/span><\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat”<\/p>\n

Note<\/strong>  Quotations must be used because the Documents and Settings directory contains spaces, and Windows PowerShell will treat it as three separate items.<\/span>\nNow that we have retrieved the actual items, we are going to use the pipe (|) operator to tell Windows PowerShell what to do with the output. This must have a space on each side or it will be considered part of a command:<\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat” |\nOur intent is to say, “Return the list of profiles that have been accessed within the last 30 days.” This is accomplished by giving Windows PowerShell the conditional statement. A conditional statement, simply put, filters the data based on one or more conditions. And we will accomplish this with the Where cmdlet. Because we are following Where with a complex command, we use braces:<\/p>\n

Where{}\nWe are using time, so we must use the <\/span>Get-Date<\/strong> cmdlet. Because it is a specific date within the properties, we need to encapsulate it in parentheses:<\/span><\/p>\n

Where{<\/p>\n

(Get-Date)<\/p>\n

}\nSo far, all we have said is, “Where Date.” Much like an incomplete sentence, this makes absolutely no sense to Windows PowerShell. We need to specify which date to get because any file has several dates, for example, the last-write time, a creation date, and an access date.<\/span>\nFor our purposes, we will use the last-write time because it is written to every time the profile is loaded. Because of the multiple dates associated with this file, we need to use the $_.<\/strong> operator to say that it is a specific property of the file, and this must come first or you will get a syntax error:<\/p>\n

Where {<\/p>\n

(Get-Date)-$_.lastwritetime<\/p>\n

}<\/p>\n

Note<\/strong>  The hypen is used to separate the initial command from the specification.<\/span>\nNow we need to specify how we want the measurement of time to be expressed. For our purposes, we want the number of days. This is done by encapsulating the entire Get-Date<\/strong> statement in another set of parentheses, and appending the Days<\/strong> property definition to it.<\/p>\n

Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days<\/p>\n

}\nNow that we have defined the left-hand side of the condition (X), we must use the inequality<\/span> <\/strong>operator “Less than” (<\/span>-le<\/strong>). We want all profiles that have been accessed within the last 30 days, so we set the right-hand side (Y) as 31:<\/span><\/p>\n

Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

}\nRoll them together and you get this:<\/span><\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

}\nThat completes our conditional statement, and it will result in retrieving all profiles that have been accessed in the past 30 days. We can stop here and it will provide an output in Windows PowerShell. But what if we want a report of some kind? For this, we need to pipe to the <\/span>Out-File<\/strong> cmdlet. With <\/span>Out-File<\/strong>, we need to define the actual output. I have chosen to use the name “30dayrecentprofiles.txt.”<\/span><\/p>\n

| Out-File 30dayrecentprofiles.txt\nWe append that to our completed command, and the end result is:<\/span><\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

} | Out-File 30dayrecentprofiles.txt\nNow we nest our action inside the braces following our “IF” Statement.<\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “5*”) {<\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

} | Out-File 30dayrecentprofiles.txt<\/p>\n

}\nSo far our IF statement only says, “If the host operating system is a variation on version 5, then get all profiles that have had the Hkey_Current_User registry hive loaded within the past 30 days.” To address all versions above version 5, we copy this IF statement, alter the version number to “6,” and change “Documents and Settings” to “Users.”<\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “6<\/strong>*”) {<\/p>\n

Get-Item -force “C:Users<\/strong>*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

} | Out-File 30dayrecentprofiles.txt<\/p>\n

}\nCombined, the finished script should look like this:<\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “5*”) {<\/p>\n

Get-Item -force “C:Documents and Settings*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

} | Out-File 30dayrecentprofiles.txt<\/p>\n

}<\/p>\n

IF ((Get-WmiObject Win32_OperatingSystem).version –like “6<\/strong>*”) {<\/p>\n

Get-Item -force “C:Users<\/strong>*ntuser.dat” | Where {<\/p>\n

((Get-Date)-$_.lastwritetime).days -le 31<\/p>\n

} | Out-File 30dayrecentprofiles.txt<\/p>\n

}\nAs new operating system versions are released and old ones lose support, scripts like this will need to be altered. Of course, this is only one way you can do this with Windows PowerShell. There is always room for improvement. Thank you for reading, and as usual, if you have any input, please use the following <\/span>Leave a Comment <\/strong>text box!<\/span><\/p>\n

Related resource<\/strong><\/h3>\n

How to Determine the Operating System With Windows PowerShell<\/a>\n ~Bob\nAwesome job, Bob. Join us tomorrow when Bob will expand on this post and talk about removing a conditional profile. It is good stuff that you do not want to miss.\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Guest blogger, Bob Stevens, talks about using Windows PowerShell to generate a recent profile report. Microsoft Scripting Guy, Ed Wilson, is here. Today I am pleased to welcome back guest blogger, Bob Stevens. Be sure you check out Bob’s other guest blog posts. Bob is a member of the Twin Cities PowerShell User Group. […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[424,16,56,3,198,61,45],"class_list":["post-3435","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-bob-stevens","tag-desktop-management","tag-guest-blogger","tag-scripting-guy","tag-users","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Guest blogger, Bob Stevens, talks about using Windows PowerShell to generate a recent profile report. Microsoft Scripting Guy, Ed Wilson, is here. Today I am pleased to welcome back guest blogger, Bob Stevens. Be sure you check out Bob’s other guest blog posts. Bob is a member of the Twin Cities PowerShell User Group. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=3435"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3435\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=3435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=3435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=3435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}