Solved

Editing Powershell script to resolve DNS from HashTable ?

Posted on 2016-09-12
7
72 Views
Last Modified: 2016-09-13
Hi All,

I've got the Powershell script below which can be used to get Event ID 4624 with the username Administrator on all AD domain controllers:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";ID=4624;data="Administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = Resolve-DnsName ($_.Properties[18].Value)
        Keywords = $_.KeywordsDisplayNames -join ";"
    }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


Can anyone please help me in how to edit the above powershell script so that it can be working with:

  • Resolve-DNS of the SourceIP
  • Replacing the value of 2 (interactive) and 3 (network)
# The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41795423
replace 2/3 with what?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795427
David,

The script result is:

MachineName        TimeCreated    User           Domain             	LogonType SourceIP      Keywords     
-----------    	   -----------    ----           ------             	--------- --------      --------     
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 172.188.78... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       2 102.199.58... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 100.112.21... Audit Success

Open in new window


I wonder if the LogonType Column can be replaced instead of number it will be:
2 (interactive) and 3 (network)

and the IP address resolved to the SERVER DNS name perhaps ?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 41795488
The script as you posted it won't work, you're missing the ForEach-Object for Get-WinEvent's ComputerName.
Note that since PS3.0, you can use an [ordered] hashtable if you want to have the properties of an object appear in the same order in which you created them, which removes the need for the last Select-Object.
And I'd recommend to keep the Format-Table out of the script. Since the script can take quite some time, you'll be quite unhappy if Format-Table doesn't produce the desired results, and you'll have to start over.
Just assign the script's output to a variable, then you can use the variable to output, filter, export, whatever.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADDomainController -Filter * | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795515
OBDA,

Thanks man for the wonderful reply:

However when I execute the script it stopped at: Get-ADDomainController -Filter *

PS C:\Users\administrator.DOMAIN> Get-ADDomainController -Filter *
Get-ADDomainController : Directory object not found
At line:1 char:1
+ Get-ADDomainController -Filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Open in new window


I can get some result by using:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | Select-Object -expand Name

But when I compbined the line to the script, I got this error:

Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41795519
6 times of the error which corresponds to 6 of my Domain controllers count.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 41795529
Can't tell you why Get-ADDomainController isn't working for you, but it's something you should look into.
Anyway, as for the Get-ADComputer: do not pipe it to "Select-Object -ExpandProperty Name". You can just use the objects returned by Get-ADComputer.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

1
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41795543
You are so awesomely cool man !
Many thanks.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question