Solved

Powershell script to for events for a user

Posted on 2015-01-29
10
87 Views
Last Modified: 2015-01-29
To keep it simple i put a users SID in the UserID field.  I can search by event ID's ETC but not user ID.  What am i doing wrong?

Server 2008 and 2012 domain.

Thanks


$objUser = New-Object System.Security.Principal.NTAccount("$Domain", "$user")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

$DCs = "DC1", 	"DC2", 	"DC3", 	


ForEach($DC in $DCs){


Get-WinEvent -FilterHashTable @{LogName="Security" ;StartTime = (Get-Date).AddDays(-1); UserID="S-1-5-21-1229272821-1220945662-725345543-1508268"   }  -ComputerName $DC | Select Message, TimeCreated |ft -AutoSize


}

Open in new window

0
Comment
Question by:SLPowers
  • 4
  • 3
  • 3
10 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40577926
The only explanation is that that SID is invalid, or the event info does not contain any or this SID. My Security Log does not contain any SIDs; Application Log does.
0
 
LVL 40

Expert Comment

by:footech
ID: 40577959
I think you're expecting events to have a matching UserID which actually don't.  Often the message contains a field for identity, but this is not the same as the UserID property.  In the Security log, I let a query run for a few minutes and no events with UserId were returned, however, I did find some in the Application log.
0
 

Author Comment

by:SLPowers
ID: 40578001
Thanks

How can i use Get-WinEvent and filter the hash table for user id.  Piping to a "Where" statements takes hours so i cant do that.

Thanks
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 69

Expert Comment

by:Qlemo
ID: 40578024
You mean a user ID contained in the message?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40578044
Probably the best way to handle this is to set up a task with a trigger on the event IDs to monitor on each server, or just running periodically scanning a small time period's events. Actions can be to send mail or similar.
0
 

Author Comment

by:SLPowers
ID: 40578136
Is there no way to scan a log for a user ID?

This is horrible.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40578184
You could modify yours to something like the following.  It will match the SID anywhere in the message property.
$objUser = New-Object System.Security.Principal.NTAccount("$Domain", "$user")
$strSID = ($objUser.Translate([System.Security.Principal.SecurityIdentifier])).Value

$DCs = "DC1", 	"DC2", 	"DC3", 	
ForEach($DC in $DCs){
Get-WinEvent -FilterHashTable @{LogName="Security" ;StartTime = (Get-Date).AddDays(-1); Data=$strSID   }  -ComputerName $DC | Select Message, TimeCreated |ft -AutoSize
}

Open in new window


But really, the question becomes, what are you trying to do?
0
 

Author Comment

by:SLPowers
ID: 40578363
Search through our DC's for a given user for log on and log off attempts.
0
 

Author Closing Comment

by:SLPowers
ID: 40578388
That worked!!

Thanks!
0
 
LVL 40

Expert Comment

by:footech
ID: 40578534
You're probably going to want to include the IDs in the fitler hashtable then, or you'll likely get extraneous events.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question