Need help building a powershell script that will provide me information from EventViewer for each computer.
This command provide me the full list of my computers in AD
Get-ADComputer -SearchBase ‘DC=test,DC=test’ -Filter * | Select-Object Name
And this command provide me the specific Security ID that i'm searching for(for example 4688).
(Get-ADComputer -SearchBase ‘DC=test,DC=test’ -Filter *).Name | Get-EventLog -LogName Security -InstanceId 4688
Now i need to build a script of those commands, first i'm getting all the hosts from my AD, then i need to search each computer and get a list with all the computers(names) that there is a Security ID (for example 4688), and export it.Please help, Thanks.
Done.
Script that will do the following steps:
1. Export all Domain computers name to the file called "ADcomputerlist.csv"
2. Import this file "ADcomputerlist.csv"
3. Search in each computer name for the past 30 days for the Security Log, InstanceID 1102.
4. Export the result to the file Result_Log_objects.csv with a specific date when file created.
4.1. Inside the file "Result_Log_objects.csv" i will find:
Name of the computers that this LogEvent exist
By who this action were taken ( for example Log Clearing )
And when this action were taken.
Get-ADComputer -Filter * -Property * | Select-Object Name | Export-CSV C:\ADcomputerslist.csv -NoTypeInformation -Encoding UTF8
$date = Get-Date -format "dd-MMM-yyyy"
$CurrentDate=Get-Date
$startdate=$CurrentDate.adddays(-30)
$Computers = Import-Csv -Path C:\ADcomputerslist.csv |
ForEach-Object {
Get-EventLog -LogName Security -After $startdate -InstanceId 1102 -ComputerName $_.Name -Newest 1
} |
Export-Csv -Path C:\Result_Log_objects_$date.csv -NoTypeInformation
Related
I am creating a script to get user logins on the server.I do it through powershell and the event viewer.
The problem is that the script returns the users and other "users" of the system and I only need the real users.
______
User
______
AR01
system
dvm-01
system
AR01
AR04
AR15
system
I thought about creating a condition so that it only selects users that start with AR, but I don't know how to do it.
Any ideas?
Thanks!
Get-WinEvent -Computer MyServerName -FilterHashtable #{Logname='Security';ID=4624} -MaxEvents 2000|
select #{N='User';E={$_.Properties[5].Value}}, TimeCreated | export-csv -Path C:\Users\AR001\Desktop\filename.csv -NoTypeInformation
You can simply use a Where-Object once you have extracted your data from the message.
Just add this:
Where-Object -Property User -Match -Value "AR"
before you try to export to the CSV.
Try this complete command:
Get-WinEvent -Computer MyServerName -FilterHashtable #{Logname='Security';ID=4624} -MaxEvents 2000 | Where-Object -Property User -Match -Value "AR"
select #{N='User';E={$_.Properties[5].Value}}, TimeCreated | export-csv -Path C:\Users\AR001\Desktop\filename.csv -NoTypeInformation
I have a Powershell script to find specific servers and their corresponding service accounts. If I modify the script to use a single server and a single service account, the results are what I expect. If I loop thru the servers and accounts, I receive the following error:
#################################################################
# Find Service Account(s) used to start Services on a Server(s) #
#################################################################
$accounts = (Get-Content C:\Users\location\Scripts\Service_Accounts.txt)
Remove-Item -path C:\Users\location\Scripts\ServiceAccountFnd.txt -force -erroraction silentlycontinue
Import-Module ActiveDirectory # Imports the Active Directory PowerShell module #
## Retrieves servers in the domain based on the search criteria ##
$servers=Get-ADComputer -Filter {Name -Like "namehere*"} -property *
## For Each Server, find the services running under the user specified in $account ##
ForEach ($server in $servers) {
Write-Host $server
ForEach ($account in $accounts) {
Write-Host $account
Get-WmiObject Win32_Service -ComputerName $server | Where-Object {$_.StartName -like "*$account*"} | Format-Table -HideTableHeaders -property #{n='ServerName';e={$_.__SERVER}}, StartName, Name -AutoSize | Out-File -FilePath C:\Users\location\Scripts\ServiceAccountFnd.txt -append -Width 150
}
}
Your $server variable does not only contain the hostname, but also all attributes of the AD computer object.
Try to change the ComputerName value to $server.name.
If that doesn't help: Can you confirm, that you used the very same computer in the loop as without the loop, as you described? I'd assume that you try to access another computer, which is not configured as expected.
Besided that, I'd recommend you to use Get-CimInstance rather than Get-WmiObject, as it doesn't use RPC, but WinRM by default. WinRM is more firewall friendly, secure and faster.
I have a script that creates a csv file that tells me users who haven't logged in in 90 days. It needs to include the Manager for that user but when pulling in the manager from Active Directory, I"m getting the full DN for that manager rather than just the Display Name. Here's my script...
import-module activedirectory
get-aduser -filter * -searchscope subtree -searchbase "ou=user departments ou,dc=acr,dc=org" -properties DisplayName,manager,lastlogontimestamp |
? {(((Get-date) - ([datetime]::FromFileTime($_.lastlogontimestamp))).TotalDays -gt 90)} |
select DisplayName,samaccountname,manager,Userprincipalname,#{Exp={([datetime]::FromFileTime($_.lastlogontimestamp))};label="Last logon time stamp"} |
export-csv "c:\scripts\reston_sharepoint_users_120_days.csv" -NoTypeInformation -Delimiter ","
Any suggestions? The rest of the script works perfectly. Thanks.
Getting an ambiguous identity error. I can search successfully to return the group that a user account is a member of, but when I try to search for the groups that a computer account is a member of there is the ambiguous identity error. I tried to use a -type or -identity switch, but either I did not have the syntax correct or it was just not applicable.
Where my targeted computer account is called SNA00760856, I have been working on using...
Get-QADGroup -Containsindirectmember SNA00760856
Any massaging that I can do to the command to get the groups that the computer SNA00760856 is a member of? Dropping in a user account in place of the computer account works like a charm.
I have also tried to qualify the computer name with the domain info.
Ie SNA00760856.mydivision.mydomain.com or mydivision\SNA00760856
Also tried to collect the membership of the computer using which I know is wrong after a closer reading of the switch info....
Get-QADobject -IndirectMemberOf SNA00760856
Results in ambiguous identity as well.
You can get the group memberships of a computer in AD through the ActiveDirectory module with Get-ADPrincipalGroupMembership. You'll need to search via the computers DistinguishedName, which can be achieved by leveraging Get-ADComputer:
Get-ADPrincipalGroupMembership (Get-ADComputer SNA00760856).DistinguishedName
That'll return all of the group objects SNA00760856 is a member of.
If you want to clean up the output, use this
Get-ADPrincipalGroupMembership (Get-ADComputer ComputerName) | select-object name
If you export to a list use
Get-AdPrincipalGroupMembership ( Get-ADComputer XXXXXXX ) | Out-File C:\XXX\XXX
I used something to pull down the AD Computer information and the Computer membership into one Text file.
This is using $Env:computerName to get the name of computer script is run on. If you want to select a different computer, change out the variable $HostName = to a computer name of your choice. Example $HostName = "Janes-Laptop01" .
The computer you run this script on must have the Active Directory module installed for this to work.
Import-module -Name ActiveDirectory
$HostName = $Env:computerName
$path = "c:\temp\Computer_AD_Membership_Info_$($HostName)_$(get-date -f yyyyMMdd-hhmm).txt"
Echo "`r`n ******* Computer OU Information. ******* `r`n" | Out-File -FilePath $path -Encoding utf8 -Force ;
Get-AdComputer -Identity $($HostName) -Properties * | Out-File -FilePath $path -Encoding utf8 -Append -Force ;
Echo "`r`n ******* AD Groups Computer Member of. ******* `r`n" | Out-File -FilePath $path -Encoding utf8 -Append -Force ;
Get-ADPrincipalGroupMembership (Get-ADComputer $($HostName)).DistinguishedName | Out-File -FilePath $path -Encoding utf8 -Append -Force ;
I have the following command which gives the information I need but I need to filter it a little further:
Get-EventLog -LogName Security -ErrorAction SilentlyContinue | Select TimeWritten, ReplacementStrings | Export-Csv output.csv
This give many entries such as this:
09/11/2012 08:09:27 {S-1-5-18, SYSTEM, NT AUTHORITY, 0x3e7...}
I want to remove any entry in ReplacementStrings that starts with '{S-1-5' but my attempts to use Where-Object and -notlike fail to make any difference!
The other problem I have is that without the Export-Csv output.csv added it displays on screen fine, but with that it writes to the file like this:
"09/11/2012 09:22:05","System.String[]"
Get-EventLog -LogName Security -ErrorAction SilentlyContinue |
Select TimeWritten, #{name='ReplacementStrings';Expression={ $_.ReplacementStrings -join ';'}} |
where {$_.ReplacementStrings -notmatch '^S-1-5'} | Export-Csv output.csv