Get the users that have logged on to a computer

Here’s a multi-line adaptation of a quick one-liner I threw together the other day.  I might have to turn this into a function and add it to my profile if I get asked this question too many more times.  To answer “Who used computer x between these dates?” we can use:

001 002 003 004 005 006 007

Get-EventLog -Before '01/26/2010' -after '01/25/2010' -ComputerName computername -LogName Security | `     where-object `     {         ($_.username -notmatch '^NT AUTHORITY\\(SYSTEM|NETWORK SERVICE|LOCAL SERVICE|ANONYMOUS LOGON)$') `         -and ($_.category -eq "Logon/Logoff")     } | `     select-object timegenerated,username,category,message | sort timegenerated | format-table -auto

Hope that can save some of you a little time :)