Link to home
Start Free TrialLog in
Avatar of A A
A A

asked on

powershell script

Is there a PowerShell script which can query all failed and successful events in Group policy against AD environment? I need that in excel format.
Avatar of J0rtIT
J0rtIT
Flag of Venezuela, Bolivarian Republic of image

I don't know any. but I'll share one with you:

Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' |where{ $_.leveldisplayname -ne "information"}

Open in new window


This will look for the Microsoft/Windows/GroupPolicy log (called operational (ws2012r2).
Will find anything doesn't match "information" at the log level. (warnings and errors).

Source: https://social.technet.microsoft.com/Forums/windows/en-US/0a9683ab-096f-4a29-a51a-fa685514e9f7/geteventlog-accessing-applications-ans-servies-logs?forum=winserverpowershell
Hi AA,

This command will generate a CSV file that you can open in Excel showing all the Group Policy events over the last 30 days:

Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolicy/Operational'; StartTime=(Get-Date).AddDays(-30)} | Export-CSV C:\Temp\ZZ_WinEvents.csv -NoTypeInformation

Open in new window


If you want to cover a shorter or longer period (limited to how far back your logs go), then change the 30 to whatever duration you want.

Change the destination file path and name as required.


Alan.
Avatar of A A
A A

ASKER

Hi Alan
I am getting this error:

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
Avatar of A A

ASKER

Hi Jose,
I can only see the failed group policy. I also need successful applied policy. and I need this to run again all the devices in AD environment. can you please tell me how its done.

thanks!
try it like this:
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' 

Open in new window

you'd get a bunch of informational events, but I don't see them as successful, it was seen as informational.
Avatar of A A

ASKER

Now I can see both. Can I see what group policy applied to the machine? and how do I get this to run against all the machines in Active Directory.
****Get all computers using network or IP****
$allcomputers

Check here how to run the script against a whole C-class network. It pings the whole network once and get the script run in those who answered. The logic is here:
https://gallery.technet.microsoft.com/scriptcenter/Process-Killer-for-local-836f5b46


foreach($computer in $computers){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}

Open in new window

Hi,

I'm inferring that the last command works for you, so to run that one against all computers, try this script:

Import-Module ActiveDirectory

$Computers = Get-ADComputer -Filter *

ForEach($Computer in $Computers){

    Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -ComputerName $Computer
}

Open in new window



Alan.
Avatar of A A

ASKER

I was able to pull the info from my machine but its not running against all Devices in AD.

I am getting this error:

Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
Odd - I would have expected the error to identify which machines had errors (the RPC service not running).

Maybe run against a smaller subset (half each time for example) and try to work out one machine that is having the problem, and then examine it in more detail.

Alan.
Avatar of A A

ASKER

sure let me try that.
Avatar of A A

ASKER

no luck with the script. Please help.
Okay - did you manage to narrow it down to any single machine with the error and run it against that machine only?

What happened?  Was the error the same?

Thanks,

Alan.
Avatar of A A

ASKER

Get-WinEvent : The RPC server is unavailable
At line:5 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
Avatar of A A

ASKER

even this script also give me the same error:

foreach($computer in $computers.name){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}
But it works on most (or at least some) other machines fine?

If so, there must be a difference in how the machines are configured.

Are you able to check both a problem machine and one that is working, and see if the RPC services are running?

If using PowerShell:

Get-Service -ComputerName MachineNameFailing -Name *RPC*

Get-Service -ComputerName MachineNameWorking -Name *RPC*

Open in new window



Thanks,

Alan.
Avatar of A A

ASKER

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameFailing -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameFailing'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameFailing -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameWorking -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameWorking'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameWorking -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
Avatar of A A

ASKER

is there any script that I can use in sccm to grab this information?
Avatar of A A

ASKER

can I run this using sccm against all the devices?
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'
Get-Service -ComputerName MachineNameFailing -Name  "NAmeOfThe Service" 

Open in new window


you can't use *NAME* there, to filter you can use the where statement.

Get-Service -ComputerName MachineNameFailing | where{ $_.Name -match "NAME"} 

Open in new window


See the NO "*NAME*" you can use a regular expression there if you want.
Avatar of A A

ASKER

I have a list of computers in computers.csv. I am only getting report back for my machine. Am I missing anything in this?

$computers=Import-CSV ".\computers.csv"

Foreach ($computer in $computers){
  $computer
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' | export-csv .\output.txt
}
ASKER CERTIFIED SOLUTION
Avatar of J0rtIT
J0rtIT
Flag of Venezuela, Bolivarian Republic of image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of A A

ASKER

even if I put the computer name, it doesn't give the report from those computers. it only pulls the report for local machine.
Avatar of A A

ASKER

this is the result for the script.


PS C:\>
$computers=Import-CSV ".\computers.csv"
Foreach ($computer in $computers){
   Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer | export-csv -notypeinformation  ".\$computer.txt"
}

Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
Well, the error is related to RPC, not to the script itself. That's another post,
Here's the light to that one: https://www.netwrix.com/kb/1291
Avatar of A A

ASKER

I have checked those three services running on the machine I am testing this script on. confirmed the IP address, and enabled two local policies. Still the same error.
The issue is with the RPC not with the script buddy. Troubleshooting the RPC should be another question.
This question started with one question and it has lead to several things that aren't related to the original question.
So do a correct use of the page and post 1 matter on each question.
Appears to be the best solution.