I am creating a script to get user logins on the server.I do it through powershell and the event viewer.
The problem is that the script returns the users and other "users" of the system and I only need the real users.
______
User
______
AR01
system
dvm-01
system
AR01
AR04
AR15
system
I thought about creating a condition so that it only selects users that start with AR, but I don't know how to do it.
Any ideas?
Thanks!
Get-WinEvent -Computer MyServerName -FilterHashtable #{Logname='Security';ID=4624} -MaxEvents 2000|
select #{N='User';E={$_.Properties[5].Value}}, TimeCreated | export-csv -Path C:\Users\AR001\Desktop\filename.csv -NoTypeInformation
You can simply use a Where-Object once you have extracted your data from the message.
Just add this:
Where-Object -Property User -Match -Value "AR"
before you try to export to the CSV.
Try this complete command:
Get-WinEvent -Computer MyServerName -FilterHashtable #{Logname='Security';ID=4624} -MaxEvents 2000 | Where-Object -Property User -Match -Value "AR"
select #{N='User';E={$_.Properties[5].Value}}, TimeCreated | export-csv -Path C:\Users\AR001\Desktop\filename.csv -NoTypeInformation
Related
Need help building a powershell script that will provide me information from EventViewer for each computer.
This command provide me the full list of my computers in AD
Get-ADComputer -SearchBase ‘DC=test,DC=test’ -Filter * | Select-Object Name
And this command provide me the specific Security ID that i'm searching for(for example 4688).
(Get-ADComputer -SearchBase ‘DC=test,DC=test’ -Filter *).Name | Get-EventLog -LogName Security -InstanceId 4688
Now i need to build a script of those commands, first i'm getting all the hosts from my AD, then i need to search each computer and get a list with all the computers(names) that there is a Security ID (for example 4688), and export it.Please help, Thanks.
Done.
Script that will do the following steps:
1. Export all Domain computers name to the file called "ADcomputerlist.csv"
2. Import this file "ADcomputerlist.csv"
3. Search in each computer name for the past 30 days for the Security Log, InstanceID 1102.
4. Export the result to the file Result_Log_objects.csv with a specific date when file created.
4.1. Inside the file "Result_Log_objects.csv" i will find:
Name of the computers that this LogEvent exist
By who this action were taken ( for example Log Clearing )
And when this action were taken.
Get-ADComputer -Filter * -Property * | Select-Object Name | Export-CSV C:\ADcomputerslist.csv -NoTypeInformation -Encoding UTF8
$date = Get-Date -format "dd-MMM-yyyy"
$CurrentDate=Get-Date
$startdate=$CurrentDate.adddays(-30)
$Computers = Import-Csv -Path C:\ADcomputerslist.csv |
ForEach-Object {
Get-EventLog -LogName Security -After $startdate -InstanceId 1102 -ComputerName $_.Name -Newest 1
} |
Export-Csv -Path C:\Result_Log_objects_$date.csv -NoTypeInformation
I am trying to get certain information from our Office 365 but not getting all the information required.
Below is my script I use:
Get-MsolUser -All | select DisplayName, LastPasswordChangeTimeStamp, LastLogonTime, PrimaryEmailAddress | Export-CSV UserList.csv -NoTypeInformation
The information I am getting from the above script is only the display name last password change. For the LastLogonTime and PrimaryEmailAddress I get nothing.
Is there something I am doing wrong?
Please help.
Thanks
Last logon time can be retrieved from Get-MailboxStatistics but it shows last accessed Exchange mailbox alone. It doesn't track other Office 365 services. You can try below code for your requirement.
$Result=""
$Output=#()
Get-mailbox -All | foreach{
$UPN=$_.UserPrincipalName
$DisplayName=$_.DisplayName
$PrimaryEmailAddress=$_.ProxyAddresses.where{$_ -clike "SMTP:*"} -creplace "SMTP:"
$LastPwdChange=$_.LastPasswordChangeTimeStamp
$LastLogonTime=(Get-MailboxStatistics -Identity $upn).lastlogontime
$Result= #{'DisplayNme'=$DisplayName;'LastLogonTime'=$LastLogonTime;'PrimaryEmailAddress'=$PrimaryEmailAddress;'LastPwdChange'=$LastPwdChange}
$Output= New-Object PSObject -Property $Result
$Output | Select-Object DisplayName,LastLogonTime,PrimaryEmailAddress,LastPwdChange | Export-CSV UserList.csv -Notype -Append
}
I hope someone here can help me designing a powershell script to do the following:
Find all windows 10 clients in AD, and also get the either SamAccountName OR last SamAccountName logged, in on the windows 10 clients, when the script is executed.
Export Last login, SamAccountName, OperationSystem and OperationSystemVersion to an Excel document.
I have the following code so far:
Import-Module ActiveDirectory
Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion | Export-CSV C:\AllWindows1.csv -NoTypeInformation -Encoding UTF8
But I need this to fetch the logged in/last login of the SamAccountName also, can anyone help me?
You could try to do something like this:
Import-Module ActiveDirectory
$computers = Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,SamAccountName
Foreach ($computer in $computers)
{
if ($computer.OperatingSystemVersion -like '10.0*')
{
$obj = New-Object psobject
$obj | Add-Member NoteProperty Name $computer.Name
$obj | Add-Member NoteProperty 'Operating System' $computer.OperatingSystem
$obj | Add-Member NoteProperty 'Operating System Version' $computer.OperatingSystemVersion
$obj | Add-Member NoteProperty 'SAMAccountName' $computer.samaccountname
$obj | Export-CSV C:\AllWindows1.csv -Append -NoTypeInformation -Encoding UTF8
}
}
But this is not finding what was the last account login to the Win10 computer.
I was checking the properties for the computer object in AD, and there is no such thing. I believe that you would have to write a pretty complex script in order to determine who was the last person who logged in to the computer.
You cannot do what you want as a computer object does not have an attribute that holds details of the last user that logged.
You would need to either, write a logon script that saves the login information to a database/log file however or enable auditing for account logon events.
Auditing events will then be saved to the DC security log and can be read using Get-EventLog.
I am trying to run this programme against a a list of remote pc/servers either by AD out TXT and display them in either csv or html if any one can offer some help or advise I would be greatly appreciative.
My only limitation is all my machines run powershell v2 only
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Format-Table –AutoSize
You want to take the output of that command and put it in a file? PowerShell has a lot of tools to do this. However, you need to remove the Format-Table command first.
See, Format-Table is all about making your command output look really good in a PowerShell window, so it's got a lot of hard returns and columns and things defined in it which make sense to the console, but look like garbage when you export it.
For data like this, I think Comma Separated Value is probably the way to go.
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Export-CSV -NoTypeInfo -Path \\server\share\$($env:ComputerName)_Programs.csv
This example will export a CSV, omitting the import-helper info PowerShell normally adds, using the -NoTypeInformation switch. I figured it'd be useful to know the name of the computer which made the file, so that's just what it will do. Edit -Path to point to a server with a share and away you go. You'll end up with files like this:
ComputerA_Programs.Csv
ComputerB_Programs.Csv
ComputerC_Programs.Csv
If you want to pull from all Ad computers
ForEach ($COMPUTER in (Get-ADComputer -Filter * | Select-Object -ExpandProperty Name))
{if(!(Test-Connection -Cn $computer -BufferSize 16 -Count 1 -ea 0 -quiet))
{write-host "cannot reach $computer" -f red}
else{Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Export-CSV -NoTypeInfo -Path "\\server\share$\$Computer_Programs.csv" -NoTypeInformation}}
for if you have list of computers in text
Foreach ($computer in ($computers= Get-Content "c:\Computers.txt" ))
{if(!(Test-Connection -cn $computer -BufferSize 16 -Count 1 -ea 0 -quiet))
{write-host "cannot reach $computer" -f red}
else{
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Export-CSV -NoTypeInfo -Path "\\server\share$\$Computer_Programs.csv" -NoTypeInformation
}}
I have the following command which gives the information I need but I need to filter it a little further:
Get-EventLog -LogName Security -ErrorAction SilentlyContinue | Select TimeWritten, ReplacementStrings | Export-Csv output.csv
This give many entries such as this:
09/11/2012 08:09:27 {S-1-5-18, SYSTEM, NT AUTHORITY, 0x3e7...}
I want to remove any entry in ReplacementStrings that starts with '{S-1-5' but my attempts to use Where-Object and -notlike fail to make any difference!
The other problem I have is that without the Export-Csv output.csv added it displays on screen fine, but with that it writes to the file like this:
"09/11/2012 09:22:05","System.String[]"
Get-EventLog -LogName Security -ErrorAction SilentlyContinue |
Select TimeWritten, #{name='ReplacementStrings';Expression={ $_.ReplacementStrings -join ';'}} |
where {$_.ReplacementStrings -notmatch '^S-1-5'} | Export-Csv output.csv