Solved

Editing Powershell script to resolve DNS from HashTable ?

Posted on 2016-09-12
7
49 Views
Last Modified: 2016-09-13
Hi All,

I've got the Powershell script below which can be used to get Event ID 4624 with the username Administrator on all AD domain controllers:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";ID=4624;data="Administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = Resolve-DnsName ($_.Properties[18].Value)
        Keywords = $_.KeywordsDisplayNames -join ";"
    }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


Can anyone please help me in how to edit the above powershell script so that it can be working with:

  • Resolve-DNS of the SourceIP
  • Replacing the value of 2 (interactive) and 3 (network)
# The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

Thanks in advance.
0
Comment
  • 4
  • 2
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41795423
replace 2/3 with what?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795427
David,

The script result is:

MachineName        TimeCreated    User           Domain             	LogonType SourceIP      Keywords     
-----------    	   -----------    ----           ------             	--------- --------      --------     
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 172.188.78... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       2 102.199.58... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 100.112.21... Audit Success

Open in new window


I wonder if the LogonType Column can be replaced instead of number it will be:
2 (interactive) and 3 (network)

and the IP address resolved to the SERVER DNS name perhaps ?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 41795488
The script as you posted it won't work, you're missing the ForEach-Object for Get-WinEvent's ComputerName.
Note that since PS3.0, you can use an [ordered] hashtable if you want to have the properties of an object appear in the same order in which you created them, which removes the need for the last Select-Object.
And I'd recommend to keep the Format-Table out of the script. Since the script can take quite some time, you'll be quite unhappy if Format-Table doesn't produce the desired results, and you'll have to start over.
Just assign the script's output to a variable, then you can use the variable to output, filter, export, whatever.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADDomainController -Filter * | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795515
OBDA,

Thanks man for the wonderful reply:

However when I execute the script it stopped at: Get-ADDomainController -Filter *

PS C:\Users\administrator.DOMAIN> Get-ADDomainController -Filter *
Get-ADDomainController : Directory object not found
At line:1 char:1
+ Get-ADDomainController -Filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Open in new window


I can get some result by using:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | Select-Object -expand Name

But when I compbined the line to the script, I got this error:

Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795519
6 times of the error which corresponds to 6 of my Domain controllers count.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41795529
Can't tell you why Get-ADDomainController isn't working for you, but it's something you should look into.
Anyway, as for the Get-ADComputer: do not pipe it to "Select-Object -ExpandProperty Name". You can just use the objects returned by Get-ADComputer.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

1
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41795543
You are so awesomely cool man !
Many thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now