Solved

Editing Powershell script to resolve DNS from HashTable ?

Posted on 2016-09-12
7
37 Views
Last Modified: 2016-09-13
Hi All,

I've got the Powershell script below which can be used to get Event ID 4624 with the username Administrator on all AD domain controllers:

Get-ADDomainController -Filter * | Select-Object name | Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security";ID=4624;data="Administrator"} | % {
    New-Object PSObject -Property @{
        MachineName = $_.MachineName
        TimeCreated = $_.TimeCreated
        User = $_.Properties[5].Value            
        Domain = $_.Properties[6].Value
        LogonType = $_.Properties[8].Value      
        SourceIP = Resolve-DnsName ($_.Properties[18].Value)
        Keywords = $_.KeywordsDisplayNames -join ";"
    }
} | Select MachineName,TimeCreated,User,Domain,LogonType,SourceIP,Keywords | ft

Open in new window


Can anyone please help me in how to edit the above powershell script so that it can be working with:

  • Resolve-DNS of the SourceIP
  • Replacing the value of 2 (interactive) and 3 (network)
# The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

Thanks in advance.
0
Comment
  • 4
  • 2
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41795423
replace 2/3 with what?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795427
David,

The script result is:

MachineName        TimeCreated    User           Domain             	LogonType SourceIP      Keywords     
-----------    	   -----------    ----           ------             	--------- --------      --------     
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 172.188.78... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       2 102.199.58... Audit Success
DC-VM1.MyDomain... 13/09/2016 ... Administrator  MyDomain                       3 100.112.21... Audit Success

Open in new window


I wonder if the LogonType Column can be replaced instead of number it will be:
2 (interactive) and 3 (network)

and the IP address resolved to the SERVER DNS name perhaps ?
0
 
LVL 82

Expert Comment

by:oBdA
ID: 41795488
The script as you posted it won't work, you're missing the ForEach-Object for Get-WinEvent's ComputerName.
Note that since PS3.0, you can use an [ordered] hashtable if you want to have the properties of an object appear in the same order in which you created them, which removes the need for the last Select-Object.
And I'd recommend to keep the Format-Table out of the script. Since the script can take quite some time, you'll be quite unhappy if Format-Table doesn't produce the desired results, and you'll have to start over.
Just assign the script's output to a variable, then you can use the variable to output, filter, export, whatever.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADDomainController -Filter * | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795515
OBDA,

Thanks man for the wonderful reply:

However when I execute the script it stopped at: Get-ADDomainController -Filter *

PS C:\Users\administrator.DOMAIN> Get-ADDomainController -Filter *
Get-ADDomainController : Directory object not found
At line:1 char:1
+ Get-ADDomainController -Filter *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-ADDomainController], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController

Open in new window


I can get some result by using:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | Select-Object -expand Name

But when I compbined the line to the script, I got this error:

Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : Cannot validate argument on parameter 'ComputerName'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:13 char:29
+     Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=46 ...
+                                ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41795519
6 times of the error which corresponds to 6 of my Domain controllers count.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
ID: 41795529
Can't tell you why Get-ADDomainController isn't working for you, but it's something you should look into.
Anyway, as for the Get-ADComputer: do not pipe it to "Select-Object -ExpandProperty Name". You can just use the objects returned by Get-ADComputer.
$LogonType = @{
	[uint32]2 = 'Interactive'
	[uint32]3 = 'Network'
	[uint32]4 = 'Batch'
	[uint32]5 = 'Service'
	[uint32]7 = 'Unlock'
	[uint32]8 = 'NetworkCleartext'
	[uint32]9 = 'NewCredentials'
	[uint32]10 = 'RemoteInteractive'
	[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
	Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="Administrator"} | ForEach-Object {
		New-Object PSObject -Property ([ordered]@{
			MachineName = $_.MachineName
			TimeCreated = $_.TimeCreated
			User = $_.Properties[5].Value
			Domain = $_.Properties[6].Value
			LogonType = $_.Properties[8].Value
			LogonTypeString = $LogonType[$_.Properties[8].Value]
			SourceIP = $_.Properties[18].Value
			SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
			Keywords = $_.KeywordsDisplayNames -join ";"
		})
	}
}

Open in new window

1
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41795543
You are so awesomely cool man !
Many thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article will help you understand what HashTables are and how to use them in PowerShell.
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now