Skip to content

Get-NtfsAuditUserActivity

SYNOPSIS

Retrieve a list of users and their activity status for a specified UNC path using NetApp audit logs via Kibana.

SYNTAX

Get-NtfsAuditUserActivity [-unc] <String> [[-Months] <Int32>] [[-pwstateid] <String>] [-ResolveUsername]
 [[-Credential] <PSCredential>] [<CommonParameters>]

DESCRIPTION

This function retrieves a list of users with access to a specified UNC path, their activity status (active or inactive), and the date of their last action. It queries NetApp audit logs via Kibana and compares the results with the NTFS database to determine user access and activity. Optionally, it can resolve usernames to full names.

EXAMPLES

EXAMPLE 1

Get-NtfsAuditUserActivity -unc "\\groepgent\data\District09" -ResolveUsername

Retrieves the activity status of all users with access to "\\groepgent\data\District09" and the date of their last action. Includes a column with the full name of each user.

EXAMPLE 2

Get-NtfsAuditUserActivity -unc "\\groepgent\data\Finance" -months 6

Retrieves the activity status of all users with access to "\\groepgent\data\Finance" for the last 6 months.

PARAMETERS

-unc

The UNC path to filter the audit logs for user activity.

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Months

The number of months to look back for user activity. Defaults to 12 months. The maximum value is 12.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: 12
Accept pipeline input: False
Accept wildcard characters: False

-pwstateid

The PasswordState ID for the credentials used to access the Elastic server. Defaults to '28410'.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: 28410
Accept pipeline input: False
Accept wildcard characters: False

-ResolveUsername

A switch to include an additional column with the full name of the user.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-Credential

A PSCredential object containing the credentials to use for accessing the Elastic server. If not provided, the function will attempt to retrieve the credentials from PasswordState.

Type: PSCredential
Parameter Sets: (All)
Aliases:

Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES