Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I troubleshoot the Set-Strictmode Powershell command?

Posted on 2015-02-06
8
Medium Priority
?
212 Views
Last Modified: 2015-02-06
Hi Expert,

Why does line 4, Get-WinEvent, fail when I add the 'Set-StrictMode -Version Latest' entry?
What is the best way to troubleshoot results from this setting?

Thank you. CuriousMAUser

Set-StrictMode -Version Latest
 $cred = Get-Credential Domain\admin
# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DC01 -Credential $cred -FilterHashTable @{Logname='Security';ID=4729}  

# Parse out the event message data
 ForEach ($Event in $Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
 
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
 
  # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force `
    -Name $eventXML.Event.EventData.Data[$i].name `
    -Value $eventXML.event.eventData.Data[$i].'#text'
 
  # View the results with your favorite output method
  $Events | Select-Object -property MemberName, ID, TargetUserName, TargetDomainName, TimeCreated, Message | export-csv C:\Scripts\WinEventID4729.csv

   }
}
0
Comment
Question by:CuriousMAUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 40594627
First step with PowerShell is always to read the error message. PS is verbose on failure.
Which PS release are you running?
0
 

Author Comment

by:CuriousMAUser
ID: 40594649
Thank you, Qlemo.

Of course, I tried to repeat the process and was unable to repeat the error.

I started with
Set-StrictMode -Version 4 - ran the script successfully
Set-StrictMode -Version Latest - ran the script successfully

Hmmmm. The error did appear once, maybe I had a fat figure error and the syntax was incorrect. I'll keep testing and see what I find. If I can't repeat the error I'll close the ticket. Thank you for the quick response.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40594678
Just has been some kind of typo or other failure probably.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:CuriousMAUser
ID: 40594680
Hi Qlem,

A different script did create an error message:
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.

The variable $UserName needs to be defined. Does that belong before the 'try' statement? Can you supply an example?
*********************************************************
Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

Set-StrictMode -Version Latest

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}},
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
0
 

Author Comment

by:CuriousMAUser
ID: 40594713
I've requested that this question be closed as follows:

Accepted answer: 0 points for CuriousMAUser's comment #a40594680

for the following reason:

Hi Qlem,

Thank you for your response to the first question. Sorry I tried to slip in another. :-)

Enjoy the weekend. I'll work on the variable question myself. That was a lazy response.

Thank you. You've opened my eyes to what to ask.
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 40594701
Doesn't matter if you put it inside or outside of the block.
I'm not certain I understand the meaning of $psitem, though.
And off course it is bad style to repeat the same code just changing the event ID.
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40594714
Good point, thx
0
 
LVL 41

Expert Comment

by:footech
ID: 40594761
$psitem is the same as $_
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question