Solved

How do I troubleshoot the Set-Strictmode Powershell command?

Posted on 2015-02-06
8
210 Views
Last Modified: 2015-02-06
Hi Expert,

Why does line 4, Get-WinEvent, fail when I add the 'Set-StrictMode -Version Latest' entry?
What is the best way to troubleshoot results from this setting?

Thank you. CuriousMAUser

Set-StrictMode -Version Latest
 $cred = Get-Credential Domain\admin
# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DC01 -Credential $cred -FilterHashTable @{Logname='Security';ID=4729}  

# Parse out the event message data
 ForEach ($Event in $Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
 
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
 
  # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force `
    -Name $eventXML.Event.EventData.Data[$i].name `
    -Value $eventXML.event.eventData.Data[$i].'#text'
 
  # View the results with your favorite output method
  $Events | Select-Object -property MemberName, ID, TargetUserName, TargetDomainName, TimeCreated, Message | export-csv C:\Scripts\WinEventID4729.csv

   }
}
0
Comment
Question by:CuriousMAUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 40594627
First step with PowerShell is always to read the error message. PS is verbose on failure.
Which PS release are you running?
0
 

Author Comment

by:CuriousMAUser
ID: 40594649
Thank you, Qlemo.

Of course, I tried to repeat the process and was unable to repeat the error.

I started with
Set-StrictMode -Version 4 - ran the script successfully
Set-StrictMode -Version Latest - ran the script successfully

Hmmmm. The error did appear once, maybe I had a fat figure error and the syntax was incorrect. I'll keep testing and see what I find. If I can't repeat the error I'll close the ticket. Thank you for the quick response.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40594678
Just has been some kind of typo or other failure probably.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:CuriousMAUser
ID: 40594680
Hi Qlem,

A different script did create an error message:
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.

The variable $UserName needs to be defined. Does that belong before the 'try' statement? Can you supply an example?
*********************************************************
Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

Set-StrictMode -Version Latest

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}},
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
0
 

Author Comment

by:CuriousMAUser
ID: 40594713
I've requested that this question be closed as follows:

Accepted answer: 0 points for CuriousMAUser's comment #a40594680

for the following reason:

Hi Qlem,

Thank you for your response to the first question. Sorry I tried to slip in another. :-)

Enjoy the weekend. I'll work on the variable question myself. That was a lazy response.

Thank you. You've opened my eyes to what to ask.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40594701
Doesn't matter if you put it inside or outside of the block.
I'm not certain I understand the meaning of $psitem, though.
And off course it is bad style to repeat the same code just changing the event ID.
0
 

Author Closing Comment

by:CuriousMAUser
ID: 40594714
Good point, thx
0
 
LVL 40

Expert Comment

by:footech
ID: 40594761
$psitem is the same as $_
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question