Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

Editing Powershell script to resolve DNS from HashTable ?

Hi All,

I've got the Powershell script below which can be used to get Event ID 4624 with the username Administrator on all AD domain controllers:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";ID=4624;data="Administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = Resolve-DnsName ($_.Properties[18].Value)
        Keywords = $_.KeywordsDisplayNames -join ";"
    }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


Can anyone please help me in how to edit the above powershell script so that it can be working with:

  • Resolve-DNS of the SourceIP
  • Replacing the value of 2 (interactive) and 3 (network)
# The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

Thanks in advance.
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 4
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
replace 2/3 with what?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
David,

The script result is:

MachineName        TimeCreated    User           Domain             	LogonType SourceIP      Keywords     
-----------    	   -----------    ----           ------             	--------- --------      --------     
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 172.188.78... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       2 102.199.58... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 100.112.21... Audit Success

Open in new window


I wonder if the LogonType Column can be replaced instead of number it will be:
2 (interactive) and 3 (network)

and the IP address resolved to the SERVER DNS name perhaps ?
0
 
oBdACommented:
The script as you posted it won't work, you're missing the ForEach-Object for Get-WinEvent's ComputerName.
Note that since PS3.0, you can use an [ordered] hashtable if you want to have the properties of an object appear in the same order in which you created them, which removes the need for the last Select-Object.
And I'd recommend to keep the Format-Table out of the script. Since the script can take quite some time, you'll be quite unhappy if Format-Table doesn't produce the desired results, and you'll have to start over.
Just assign the script's output to a variable, then you can use the variable to output, filter, export, whatever.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADDomainController -Filter * | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
OBDA,

Thanks man for the wonderful reply:

However when I execute the script it stopped at: Get-ADDomainController -Filter *

PS C:\Users\administrator.DOMAIN> Get-ADDomainController -Filter *
Get-ADDomainController : Directory object not found
At line:1 char:1
+ Get-ADDomainController -Filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Open in new window


I can get some result by using:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | Select-Object -expand Name

But when I compbined the line to the script, I got this error:

Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
6 times of the error which corresponds to 6 of my Domain controllers count.
0
 
oBdACommented:
Can't tell you why Get-ADDomainController isn't working for you, but it's something you should look into.
Anyway, as for the Get-ADComputer: do not pipe it to "Select-Object -ExpandProperty Name". You can just use the objects returned by Get-ADComputer.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
You are so awesomely cool man !
Many thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now