SLPowers
asked on
Powershell script to for events for a user
To keep it simple i put a users SID in the UserID field. I can search by event ID's ETC but not user ID. What am i doing wrong?
Server 2008 and 2012 domain.
Thanks
Server 2008 and 2012 domain.
Thanks
$objUser = New-Object System.Security.Principal.NTAccount("$Domain", "$user")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
$DCs = "DC1", "DC2", "DC3",
ForEach($DC in $DCs){
Get-WinEvent -FilterHashTable @{LogName="Security" ;StartTime = (Get-Date).AddDays(-1); UserID="S-1-5-21-1229272821-1220945662-725345543-1508268" } -ComputerName $DC | Select Message, TimeCreated |ft -AutoSize
}
The only explanation is that that SID is invalid, or the event info does not contain any or this SID. My Security Log does not contain any SIDs; Application Log does.
I think you're expecting events to have a matching UserID which actually don't. Often the message contains a field for identity, but this is not the same as the UserID property. In the Security log, I let a query run for a few minutes and no events with UserId were returned, however, I did find some in the Application log.
ASKER
Thanks
How can i use Get-WinEvent and filter the hash table for user id. Piping to a "Where" statements takes hours so i cant do that.
Thanks
How can i use Get-WinEvent and filter the hash table for user id. Piping to a "Where" statements takes hours so i cant do that.
Thanks
You mean a user ID contained in the message?
Probably the best way to handle this is to set up a task with a trigger on the event IDs to monitor on each server, or just running periodically scanning a small time period's events. Actions can be to send mail or similar.
ASKER
Is there no way to scan a log for a user ID?
This is horrible.
This is horrible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Search through our DC's for a given user for log on and log off attempts.
ASKER
That worked!!
Thanks!
Thanks!
You're probably going to want to include the IDs in the fitler hashtable then, or you'll likely get extraneous events.