# PCS Toolkit - User Account Audit
$timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$outputFile = "$env:USERPROFILE\Desktop\UserAudit_$timestamp.txt"

function Log($msg) {
    Write-Host $msg
    Add-Content $outputFile $msg
}

Log "========================================"
Log "    PCS Toolkit - User Account Audit"
Log "========================================"
Log "Generated: $(Get-Date)"
Log "Computer: $env:COMPUTERNAME"
Log ""

Log "LOCAL USERS:"
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordRequired | Format-Table | Out-String | ForEach-Object { Log $_ }

Log "LOCAL GROUPS:"
Get-LocalGroup | ForEach-Object {
    $members = Get-LocalGroupMember $_.Name -EA SilentlyContinue | Select-Object -ExpandProperty Name
    Log "$($_.Name): $($members -join ', ')"
}
Log ""

Log "ADMIN GROUP MEMBERS:"
Get-LocalGroupMember -Group "Administrators" | Select-Object Name, ObjectClass, PrincipalSource | Format-Table | Out-String | ForEach-Object { Log $_ }

Log "RECENT LOGONS (Last 10):"
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10 -EA SilentlyContinue | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $user = $xml.Event.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' } | Select-Object -ExpandProperty '#text'
    Log "  $(Get-Date $_.TimeCreated -Format 'yyyy-MM-dd HH:mm') - $user"
}

Log ""
Log "========================================"
explorer.exe "/select,$outputFile"
Read-Host "Press Enter to exit"