Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Editing Powershell script to resolve DNS from HashTable ?

Posted on 2016-09-12
7
Medium Priority
?
96 Views
Last Modified: 2016-09-13
Hi All,

I've got the Powershell script below which can be used to get Event ID 4624 with the username Administrator on all AD domain controllers:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";ID=4624;data="Administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = Resolve-DnsName ($_.Properties[18].Value)
        Keywords = $_.KeywordsDisplayNames -join ";"
    }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


Can anyone please help me in how to edit the above powershell script so that it can be working with:

  • Resolve-DNS of the SourceIP
  • Replacing the value of 2 (interactive) and 3 (network)
# The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41795423
replace 2/3 with what?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795427
David,

The script result is:

MachineName        TimeCreated    User           Domain             	LogonType SourceIP      Keywords     
-----------    	   -----------    ----           ------             	--------- --------      --------     
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 172.188.78... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       2 102.199.58... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 100.112.21... Audit Success

Open in new window


I wonder if the LogonType Column can be replaced instead of number it will be:
2 (interactive) and 3 (network)

and the IP address resolved to the SERVER DNS name perhaps ?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 41795488
The script as you posted it won't work, you're missing the ForEach-Object for Get-WinEvent's ComputerName.
Note that since PS3.0, you can use an [ordered] hashtable if you want to have the properties of an object appear in the same order in which you created them, which removes the need for the last Select-Object.
And I'd recommend to keep the Format-Table out of the script. Since the script can take quite some time, you'll be quite unhappy if Format-Table doesn't produce the desired results, and you'll have to start over.
Just assign the script's output to a variable, then you can use the variable to output, filter, export, whatever.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADDomainController -Filter * | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795515
OBDA,

Thanks man for the wonderful reply:

However when I execute the script it stopped at: Get-ADDomainController -Filter *

PS C:\Users\administrator.DOMAIN> Get-ADDomainController -Filter *
Get-ADDomainController : Directory object not found
At line:1 char:1
+ Get-ADDomainController -Filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Open in new window


I can get some result by using:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | Select-Object -expand Name

But when I compbined the line to the script, I got this error:

Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795519
6 times of the error which corresponds to 6 of my Domain controllers count.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 41795529
Can't tell you why Get-ADDomainController isn't working for you, but it's something you should look into.
Anyway, as for the Get-ADComputer: do not pipe it to "Select-Object -ExpandProperty Name". You can just use the objects returned by Get-ADComputer.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

1
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41795543
You are so awesomely cool man !
Many thanks.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question