Solved

VBSCript to search AD Security Logs

Posted on 2011-02-28
27
1,426 Views
Last Modified: 2012-05-11
Hello Team,

I need the following help from you:

1)  VB Scripit which will read a .txt file (Which has list of User ID) and search the AD Security logs for any modification (like group changes, password changes) and who has done that outputing to CSV File.
2)  Free tool which can perform the activity as mentioned in point 1 for my future reference.  AS in current organization I cannot run any 3rd Party tool unless it is authorized and hence I need VB Script.  Free tool so that I can ask my testing team to test and authorise (this may take some time and hence VB Script is preffered).

Let me know if you need any more information.

Many Thanks
Praveen
0
Comment
Question by:praveendusi
  • 14
  • 8
  • 3
  • +1
27 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 34995203
powershell not an option ?
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 34995776
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 34995979
Can you give more specific information as to what all needs to be monitored

The following contains a list security events

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
0
 

Author Comment

by:praveendusi
ID: 34996180
Hi Mr Grave,

Thank you for your response.

For Powerhsell I think we need to install the powershell?  Correct me If I am worng.

If that doesn't require then its OK.

I needed in VB so that I can modify it later if I need to and I am not much aware of Powershell Programming.

Hope this information helps.

Many Thaks
Praveen
0
 

Author Comment

by:praveendusi
ID: 34996190
Prashanth,

Thank you for your response.

I have to check based on the user, if there was any modification done to his account such as:

1)  If was removed from any group
2)  Added to any groups.
3)  Has he been moved to different OU

Hope this information helps.

Many Thanks
Praveen
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35003895
Hi, you'll need to know exactly which event IDs you want to extract, but grab PSLogList.exe from Microsoft:
http://technet.microsoft.com/en-us/sysinternals/bb897544

and then run this:
psloglist -s -i 1,1000 application > events.csv

where 1,1000 is a comma separated list of ID (up to 10 only), and application is the event log you want to read from.

Then open events.csv and see if it has data you need.  We can probably further filter that information if you need to.

Regards,

Rob.
0
 

Author Comment

by:praveendusi
ID: 35003977
Hi Rob,

Thank you for you suggestion.

I will check your solution today when I am in Office and update you accordingly.

Many Thanks
Praveen
0
 

Author Comment

by:praveendusi
ID: 35004006
Rob

Another question... I want to read Security Log on AD server and check if a user account was modified and who has done that.

I think I saw a Microsoft Article, not able to find the link again... where it showed the list of Event ID for this.  

I think as per the list I am looking for event ID 637 and 661

Many Thanks
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35004058
To search another computer, you can use
psloglist \\adserver -s -i 637,661 -u DOMAIN\Administrator -p AdminPassword system > events.csv

Regards,

Rob.
0
 

Author Comment

by:praveendusi
ID: 35004089
Hi Rob,

Thank you for your help.  Will try this afternoon (IST) and get back to you.

Many Thanks
Praveen
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 35005619
Hi Rob..cool tool

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35013683
It turns out that probably isn't going to work with PSLogList, unless you want to filter by yourself.  If you use WMI, you can filter by username.  I wrote this to read the log files.  You can configure the lines below:

strComputer = "D09790RING"
strStartDate = "01-Jan-2000"
strEndDate = "03-Jan-2011"
strEventIDs = "1,1000"
strOutput = "Events.csv"

I haven't included the username filter just yet, but we can add that in if the above works.

Regards,

Rob.
strComputer = "REMOTEPC"
strStartDate = "01-Jan-2000"
strEndDate = "03-Jan-2011"
strEventIDs = "1,1000"
strOutput = "Events.csv"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """Computer"",""LogFile"",""Date"",""Time"",""EventType"",""User"",""Source"",""Category"",""EventCode"",""Message"""
Const adVarChar = 200
Const adBigInt = 20
Const MaxCharacters = 255
	
Set DataList = CreateObject("ADOR.Recordset")
DataList.Fields.Append "Computer", adVarChar, MaxCharacters
DataList.Fields.Append "LogFile", adVarChar, MaxCharacters
DataList.Fields.Append "Date", adVarChar, MaxCharacters
DataList.Fields.Append "Time", adVarChar, MaxCharacters
DataList.Fields.Append "EventType", adVarChar, MaxCharacters
DataList.Fields.Append "User", adVarChar, MaxCharacters
DataList.Fields.Append "Source", adVarChar, MaxCharacters
DataList.Fields.Append "Category", adVarChar, MaxCharacters
DataList.Fields.Append "EventCode", adBigInt
DataList.Fields.Append "Message", adVarChar, MaxCharacters
DataList.Open

Check_Event_Logs

If Not DataList.BOF Then DataList.MoveFirst
While Not DataList.EOF
	objOutput.WriteLine """" & DataList("Computer") & """," & _
		"""" & DataList("LogFile") & """," & _
		"""" & DataList("Date") & """," & _
		"""" & DataList("Time") & """," & _
		"""" & DataList("EventType") & """," & _
		"""" & DataList("User") & """," & _
		"""" & DataList("Source") & """," & _
		"""" & DataList("Category") & """," & _
		"""" & DataList("EventCode") & """," & _
		"""" & DataList("Message") & """"
	DataList.MoveNext
Wend

objOutput.Close

MsgBox "Done. Please see " & strOutput

Sub Check_Event_Logs

	Const wbemFlagReturnImmediately = &h10
	Const wbemFlagForwardOnly = &h20
	Const WMITimeOutInSeconds = 10
	
	Const CONVERT_TO_LOCAL_TIME = True
	Set strDateFrom = CreateObject("WbemScripting.SWbemDateTime")
	Set strDateTo = CreateObject("WbemScripting.SWbemDateTime")
	strDateFrom.SetVarDate CDate(strStartDate), CONVERT_TO_LOCAL_TIME
	strDateTo.SetVarDate CDate(strEndDate), CONVERT_TO_LOCAL_TIME

	strServerLog = ""
	
	strEventIDFilter = ""
	If strEventIDs <> "" Then
		If InStr(strEventIDs, ",") > 0 Then
			For Each strEventID In Split(strEventIDS, ",")
				If strEventIDFilter = "" Then
					strEventIDFilter = " AND (EventCode=" & strEventID
				Else
					strEventIDFilter = strEventIDFilter & " OR EventCode=" & strEventID
				End If
			Next
			strEventIDFilter = strEventIDFilter & ")"
		Else
			strEventIDFilter = " AND EventCode=" & strEventIDs
		End If
	End If

	If Ping(strComputer) = True Then
		strReturn = TestWMIConnection(strComputer, WMITimeOutInSeconds)
		If strReturn = "success" Then
			strLogName = "Application"
			Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
			' Event Types: 1 = Error ; 2 = Warning ; 3 = Information ; 4 = Security audit success ; 5 = Security audit failure 
			strQuery = "SELECT * FROM Win32_NTLogEvent WHERE LogFile = '" & strLogName & "'" & _
				" AND (TimeWritten >= '" & strDateFrom & "' AND TimeWritten <= '" & strDateTo & "')" & strEventIDFilter
			strQuery = "SELECT * FROM Win32_NTLogEvent WHERE LogFile = '" & strLogName & "'" & strEventIDFilter
			
			Set colLoggedEvents = objWMI.ExecQuery(strQuery, "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

			For Each objEvent in colLoggedEvents
				strDate = Left(objEvent.TimeWritten,8)
				strDate = Right(strDate, 2) & "-" & Mid(strDate, 5, 2) & "-" & Left(strDate, 4)
				dteDate = CDate(strDate)
				strTime = Mid(objEvent.TimeWritten, 9, 6)
				strTime = Left(strTime, 2) & ":" & Mid(strTime, 3, 2) & ":" & Right(strTime, 2)
				dteTime = CDate(strTime)

				strEventType = objEvent.EventType
				Select Case strEventType
					Case 1
						strEventType = "Error"
					Case 2
						strEventType = "Warning"
					Case 3
						strEventType = "Information"
					Case 4
						strEventType = "Audit Success"
					Case 5
						strEventType = "Audit Failure"
					Case Else
						strEventType = "CODE " & objEvent.EventType & " = " & objEvent.Type
				End Select

				strUser = objEvent.User
				If strUser = "" Or IsNull(strUser) Then strUser = "N/A"
				If IsNull(objEvent.CategoryString) Then
					strCategory = "None"
				Else
					strCategory = objEvent.CategoryString
				End If

				If InStr(objEvent.Message, "^|^") > 0 Then
					MsgBox "There is an extra pipe character (^|^) in the event log." & vbCrLf & objEvent.Message
				ElseIf InStr(objEvent.Message, "^;^") > 0 Then
					MsgBox "There is an extra semi-colon character (^;^) in the event log." & vbCrLf & objEvent.Message
				Else
					DataList.AddNew
					DataList("Computer") = strComputer
					DataList("LogFile") = objEvent.LogFile
					DataList("Date") = dteDate
					DataList("Time") = dteTime
					DataList("EventType") = strEventType
					DataList("User") = strUser
					DataList("Source") = objEvent.SourceName
					DataList("Category") = strCategory
					DataList("EventCode") = objEvent.EventCode
					If IsNull(objEvent.Message) Then
						DataList("Message") = "N/A"
					Else
						DataList("Message") = Left(objEvent.Message, 255)
					End If
					DataList.Update
				End If
			Next
		ElseIf strReturn = "failed" Then
			MsgBox "WMI Connection Failed to " & strComputer & "." & vbCrLf & "Error Number: " & _
				Err.Number & vbCrLf & "Error Description: " & Err.Description, vbOKOnly, "WMI Error"
		Else
			MsgBox "WMI Time Out reached to " & strComputer & ".", vbOKOnly, "WMI Error"
		End If
	Else
		MsgBox strComputer & " is offline.", vbOkOnly, "Computer Offline"
	End If

End Sub

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Function TestWMIConnection(strComputer, intTimeOutInSeconds)
   ' Function written by Rob Sampson - 12 Jan 2011
   ' Experts-Exchange volunteer: http://www.experts-exchange.com/M_3820065.html
   ' Return strings from this function are in lower case, and consist of:
   ' "success": WMI Connection successful
   ' "failed": WMI Connection failed
   ' "time out": WMI Connection attempt timed out

   Set objFSO = CreateObject("Scripting.FileSystemObject")
   strTempScript = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "TempWMITestToBeDeleted.vbs"

   Set objTempFile = objFSO.CreateTextFile(strTempScript, True)
   objTempFile.WriteLine "On Error Resume Next"
   objTempFile.WriteLine "Set objWMIService = GetObject(""winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"")"
   objTempFile.WriteLine "If Err.Number = 0 Then"
   objTempFile.WriteLine vbTab & "WScript.StdOut.Write ""success"""
   objTempFile.WriteLine "Else"
   objTempFile.WriteLine vbTab & "WScript.StdOut.Write ""failed"""
   objTempFile.WriteLine "End If"
   objTempFile.Close

   Set objShell = CreateObject("WScript.Shell")
   Set objExec = objShell.Exec("wscript " & objFSO.GetFile(strTempScript).ShortPath)
   intSeconds = 0
   While objExec.Status = 0 And intSeconds <= intTimeOutInSeconds
      WScript.Sleep 1000
      intSeconds = intSeconds + 1
   Wend
   If objExec.Status = 1 Then
      strReturn = objExec.StdOut.ReadAll
   Else
      On Error Resume Next
      objExec.Terminate
      Err.Clear
      On Error GoTo 0
      strReturn = "time out"
   End If
   objFSO.DeleteFile strTempScript, True

   TestWMIConnection = LCase(strReturn)
End Function

Open in new window

0
 

Author Comment

by:praveendusi
ID: 35013914
Hi Rob,

Thanks for the tool.  I did try the tool but yes once I get the output from the tool, then I need to further filter myself for the event I needed.

At glance the above script is what I m looking for.  Will try it today and update you again.  Username filter will be good.  But I will try to above script first and update you.

Many Thanks
Praveen
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35015645
Oh, move this line:
                  strLogName = "Application"

to under this:
strEndDate = "03-Jan-2011"

and change it to the log name that you need to search.

Regards,

Rob.
0
 

Author Comment

by:praveendusi
ID: 35019815
Hi Rob,

Thanks for correction.  

Unfortunately we have a major outage in Citrix today so couldn't test the application.  Will test this tomorrow and update you.

Many Thanks
Praveen
0
 

Author Comment

by:praveendusi
ID: 35033893
Hi Rob,

Apologize for the delayed response.

I have tested this today and following are the result:

1)  I forgot to mention earlier that I have some Win2K Domain Controller as well.  It looks to be the script will not work for Win2k.
2)  I have run on one of the Win2K3 Domain controller and the script only works for "Application" Eventlog.  If I run this against System or Security it doesn't work.  It created the Events.csv with headings and it doesn't capture anything.
3)  Though we mention the Start Date and End date, I think it gives the event on its own date.  Ex: I have given Start Date as 01-Jan-2011 and End Date as 03/03/2011, but it show the events of 2010 year as well.

Not sure I am missing anything.

I have made the changes as informed.

Praveen
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35047887
I'll have to do some more testing tomorrow. I won't be in the office today.  I'll check the date issues too.

Regards,

Rob.
0
 

Author Comment

by:praveendusi
ID: 35052654
Thanks Rob
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 35064836
Hi, in answer to your questions:
1) The minimum supported client for Win32_NTLogEvent is Windows 2000 and Windows 2000 Server, so it should work.
2) I have adjusted the WMI moniker from
                  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
to
                  Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")
to add backup and security privileges to the WMI connection. This should help with accessing the Security and possibly System logs.
3) I had left in a test query that didn't take the dates into account. It should work now.

I have also added intDaysToGet so that it gets only 30 days worth of events back from today.

Regards,

Rob.
strComputer = "REMOTEPC"
intDaysToGet = 30
strStartDate = Right("0" & Day(DateAdd("d", intDaysToGet * -1, Date)), 2) & "-" & MonthName(Month(DateAdd("d", intDaysToGet * -1, Date)), True) & "-" & Year(DateAdd("d", intDaysToGet * -1, Date))
'strStartDate = "01-Jan-2011"
strEndDate = Right("0" & Day(Date), 2) & "-" & MonthName(Month(Date), True) & "-" & Year(Date)
'strEndDate = "08-Feb-2011"
strLogName = "Application"
strEventIDs = "1,1000"
strOutput = "Events.csv"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """Computer"",""LogFile"",""Date"",""Time"",""EventType"",""User"",""Source"",""Category"",""EventCode"",""Message"""
Const adVarChar = 200
Const adBigInt = 20
Const MaxCharacters = 255
	
Set DataList = CreateObject("ADOR.Recordset")
DataList.Fields.Append "Computer", adVarChar, MaxCharacters
DataList.Fields.Append "LogFile", adVarChar, MaxCharacters
DataList.Fields.Append "Date", adVarChar, MaxCharacters
DataList.Fields.Append "Time", adVarChar, MaxCharacters
DataList.Fields.Append "EventType", adVarChar, MaxCharacters
DataList.Fields.Append "User", adVarChar, MaxCharacters
DataList.Fields.Append "Source", adVarChar, MaxCharacters
DataList.Fields.Append "Category", adVarChar, MaxCharacters
DataList.Fields.Append "EventCode", adBigInt
DataList.Fields.Append "Message", adVarChar, MaxCharacters
DataList.Open

Check_Event_Logs

If Not DataList.BOF Then DataList.MoveFirst
While Not DataList.EOF
	objOutput.WriteLine """" & DataList("Computer") & """," & _
		"""" & DataList("LogFile") & """," & _
		"""" & DataList("Date") & """," & _
		"""" & DataList("Time") & """," & _
		"""" & DataList("EventType") & """," & _
		"""" & DataList("User") & """," & _
		"""" & DataList("Source") & """," & _
		"""" & DataList("Category") & """," & _
		"""" & DataList("EventCode") & """," & _
		"""" & DataList("Message") & """"
	DataList.MoveNext
Wend

objOutput.Close

MsgBox "Done. Please see " & strOutput

Sub Check_Event_Logs

	Const wbemFlagReturnImmediately = &h10
	Const wbemFlagForwardOnly = &h20
	Const WMITimeOutInSeconds = 10
	
	Const CONVERT_TO_LOCAL_TIME = True
	Set strDateFrom = CreateObject("WbemScripting.SWbemDateTime")
	Set strDateTo = CreateObject("WbemScripting.SWbemDateTime")
	strDateFrom.SetVarDate CDate(strStartDate), CONVERT_TO_LOCAL_TIME
	strDateTo.SetVarDate CDate(strEndDate), CONVERT_TO_LOCAL_TIME

	strServerLog = ""
	
	strEventIDFilter = ""
	If strEventIDs <> "" Then
		If InStr(strEventIDs, ",") > 0 Then
			For Each strEventID In Split(strEventIDS, ",")
				If strEventIDFilter = "" Then
					strEventIDFilter = " AND (EventCode=" & strEventID
				Else
					strEventIDFilter = strEventIDFilter & " OR EventCode=" & strEventID
				End If
			Next
			strEventIDFilter = strEventIDFilter & ")"
		Else
			strEventIDFilter = " AND EventCode=" & strEventIDs
		End If
	End If

	If Ping(strComputer) = True Then
		strReturn = TestWMIConnection(strComputer, WMITimeOutInSeconds)
		If strReturn = "success" Then
			Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")
			' Event Types: 1 = Error ; 2 = Warning ; 3 = Information ; 4 = Security audit success ; 5 = Security audit failure 
			strQuery = "SELECT * FROM Win32_NTLogEvent WHERE LogFile = '" & strLogName & "'" & _
				" AND (TimeWritten >= '" & strDateFrom & "' AND TimeWritten <= '" & strDateTo & "')" & strEventIDFilter
			' strQuery = "SELECT * FROM Win32_NTLogEvent WHERE LogFile = '" & strLogName & "'" & strEventIDFilter
			'MsgBox strQuery
			
			Set colLoggedEvents = objWMI.ExecQuery(strQuery, "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)

			For Each objEvent In colLoggedEvents
				strDate = Left(objEvent.TimeWritten,8)
				strDate = Right(strDate, 2) & "-" & Mid(strDate, 5, 2) & "-" & Left(strDate, 4)
				dteDate = CDate(strDate)
				strTime = Mid(objEvent.TimeWritten, 9, 6)
				strTime = Left(strTime, 2) & ":" & Mid(strTime, 3, 2) & ":" & Right(strTime, 2)
				dteTime = CDate(strTime)

				strEventType = objEvent.EventType
				Select Case strEventType
					Case 1
						strEventType = "Error"
					Case 2
						strEventType = "Warning"
					Case 3
						strEventType = "Information"
					Case 4
						strEventType = "Audit Success"
					Case 5
						strEventType = "Audit Failure"
					Case Else
						strEventType = "CODE " & objEvent.EventType & " = " & objEvent.Type
				End Select

				strUser = objEvent.User
				If strUser = "" Or IsNull(strUser) Then strUser = "N/A"
				If IsNull(objEvent.CategoryString) Then
					strCategory = "None"
				Else
					strCategory = objEvent.CategoryString
				End If

				If InStr(objEvent.Message, "^|^") > 0 Then
					MsgBox "There is an extra pipe character (^|^) in the event log." & vbCrLf & objEvent.Message
				ElseIf InStr(objEvent.Message, "^;^") > 0 Then
					MsgBox "There is an extra semi-colon character (^;^) in the event log." & vbCrLf & objEvent.Message
				Else
					DataList.AddNew
					DataList("Computer") = strComputer
					DataList("LogFile") = objEvent.LogFile
					DataList("Date") = dteDate
					DataList("Time") = dteTime
					DataList("EventType") = strEventType
					DataList("User") = strUser
					DataList("Source") = objEvent.SourceName
					DataList("Category") = strCategory
					DataList("EventCode") = objEvent.EventCode
					If IsNull(objEvent.Message) Then
						DataList("Message") = "N/A"
					Else
						DataList("Message") = Left(objEvent.Message, 255)
					End If
					DataList.Update
				End If
			Next
		ElseIf strReturn = "failed" Then
			MsgBox "WMI Connection Failed to " & strComputer & "." & vbCrLf & "Error Number: " & _
				Err.Number & vbCrLf & "Error Description: " & Err.Description, vbOKOnly, "WMI Error"
		Else
			MsgBox "WMI Time Out reached to " & strComputer & ".", vbOKOnly, "WMI Error"
		End If
	Else
		MsgBox strComputer & " is offline.", vbOkOnly, "Computer Offline"
	End If

End Sub

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Function TestWMIConnection(strComputer, intTimeOutInSeconds)
   ' Function written by Rob Sampson - 12 Jan 2011
   ' Experts-Exchange volunteer: http://www.experts-exchange.com/M_3820065.html
   ' Return strings from this function are in lower case, and consist of:
   ' "success": WMI Connection successful
   ' "failed": WMI Connection failed
   ' "time out": WMI Connection attempt timed out

   Set objFSO = CreateObject("Scripting.FileSystemObject")
   strTempScript = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "TempWMITestToBeDeleted.vbs"

   Set objTempFile = objFSO.CreateTextFile(strTempScript, True)
   objTempFile.WriteLine "On Error Resume Next"
   objTempFile.WriteLine "Set objWMIService = GetObject(""winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"")"
   objTempFile.WriteLine "If Err.Number = 0 Then"
   objTempFile.WriteLine vbTab & "WScript.StdOut.Write ""success"""
   objTempFile.WriteLine "Else"
   objTempFile.WriteLine vbTab & "WScript.StdOut.Write ""failed"""
   objTempFile.WriteLine "End If"
   objTempFile.Close

   Set objShell = CreateObject("WScript.Shell")
   Set objExec = objShell.Exec("wscript " & objFSO.GetFile(strTempScript).ShortPath)
   intSeconds = 0
   While objExec.Status = 0 And intSeconds <= intTimeOutInSeconds
      WScript.Sleep 1000
      intSeconds = intSeconds + 1
   Wend
   If objExec.Status = 1 Then
      strReturn = objExec.StdOut.ReadAll
   Else
      On Error Resume Next
      objExec.Terminate
      Err.Clear
      On Error GoTo 0
      strReturn = "time out"
   End If
   objFSO.DeleteFile strTempScript, True

   TestWMIConnection = LCase(strReturn)
End Function

Open in new window

0
 

Author Comment

by:praveendusi
ID: 35065842
Thanks for the updated script Rob.  Will test it when I am in office this afternoon (IST).

Praveen
0
 

Author Comment

by:praveendusi
ID: 35077247
Hi Rob,

I ran the script on the Windows 2003 domain controller, but Security logs were not extracted.  Application log was getting extracted.  Not sure if I am running in right way.  What i was doing was, I have replaced "strLogName = Application" to "strLogName = Security" and then run the script.

Is this the right way to run the script?

Also can you look at the below question as well:

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26870904.html

Many Thanks
Praveen
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35077274
Security logs work for me, but I'm a domain admin.  Can you try running the script with a user account that will have admin rights to the server?

Rob.
0
 

Author Comment

by:praveendusi
ID: 35077311
Hi Rob,

I have ran the script with team who has domain admin rights.  I will try to run the script against the Domain which is Win2K and update you the results.  I am a Domain Admin for Win2K.

Mean while can you look at this question as well.  Need help in script modifiction:

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26870904.html

Praveen
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35195904
That's a shame...it worked for me, so I can't say why it failed for you.

Rob.
0
 

Author Comment

by:praveendusi
ID: 35201412
Please cancel my request and award the full points to Rob.  His help was really appreciated.
0
 

Author Closing Comment

by:praveendusi
ID: 35201432
No worries Rob.  Thank you for the help.  The script was useful anyway and would help others for their purpose.

Not sure if this was because of some environment issue or what that script did not work.

Will keep the script in my knowledge base for my future reference.

You help was much appreciated and looking forward for your help in my future posts as I might require help in scripts.

Many Thanks
Praveen
0

Join & Write a Comment

Suggested Solutions

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now