asked on

Powershell script to for events for a user

To keep it simple i put a users SID in the UserID field. I can search by event ID's ETC but not user ID. What am i doing wrong?

Server 2008 and 2012 domain.

Thanks

$objUser = New-Object System.Security.Principal.NTAccount("$Domain", "$user")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

$DCs = "DC1", 	"DC2", 	"DC3", 	


ForEach($DC in $DCs){


Get-WinEvent -FilterHashTable @{LogName="Security" ;StartTime = (Get-Date).AddDays(-1); UserID="S-1-5-21-1229272821-1220945662-725345543-1508268"   }  -ComputerName $DC | Select Message, TimeCreated |ft -AutoSize


}

Open in new window

Qlemo

The only explanation is that that SID is invalid, or the event info does not contain any or this SID. My Security Log does not contain any SIDs; Application Log does.

footech

I think you're expecting events to have a matching UserID which actually don't. Often the message contains a field for identity, but this is not the same as the UserID property. In the Security log, I let a query run for a few minutes and no events with UserId were returned, however, I did find some in the Application log.

SLPowers

ASKER

Thanks

How can i use Get-WinEvent and filter the hash table for user id. Piping to a "Where" statements takes hours so i cant do that.

Thanks

Qlemo

You mean a user ID contained in the message?

Qlemo

Probably the best way to handle this is to set up a task with a trigger on the event IDs to monitor on each server, or just running periodically scanning a small time period's events. Actions can be to send mail or similar.

SLPowers

ASKER

Is there no way to scan a log for a user ID?

This is horrible.

ASKER CERTIFIED SOLUTION

footech

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SLPowers

ASKER

Search through our DC's for a given user for log on and log off attempts.