• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 64
  • Last Modified:

powershell script

Is there a PowerShell script which can query all failed and successful events in Group policy against AD environment? I need that in excel format.
0
A A
Asked:
A A
  • 15
  • 7
  • 6
1 Solution
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
I don't know any. but I'll share one with you:

Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' |where{ $_.leveldisplayname -ne "information"}

Open in new window


This will look for the Microsoft/Windows/GroupPolicy log (called operational (ws2012r2).
Will find anything doesn't match "information" at the log level. (warnings and errors).

Source: https://social.technet.microsoft.com/Forums/windows/en-US/0a9683ab-096f-4a29-a51a-fa685514e9f7/geteventlog-accessing-applications-ans-servies-logs?forum=winserverpowershell
0
 
AlanConsultantCommented:
Hi AA,

This command will generate a CSV file that you can open in Excel showing all the Group Policy events over the last 30 days:

Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolicy/Operational'; StartTime=(Get-Date).AddDays(-30)} | Export-CSV C:\Temp\ZZ_WinEvents.csv -NoTypeInformation

Open in new window


If you want to cover a shorter or longer period (limited to how far back your logs go), then change the 30 to whatever duration you want.

Change the destination file path and name as required.


Alan.
0
 
A AAuthor Commented:
Hi Alan
I am getting this error:

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
A AAuthor Commented:
Hi Jose,
I can only see the failed group policy. I also need successful applied policy. and I need this to run again all the devices in AD environment. can you please tell me how its done.

thanks!
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
try it like this:
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' 

Open in new window

you'd get a bunch of informational events, but I don't see them as successful, it was seen as informational.
0
 
A AAuthor Commented:
Now I can see both. Can I see what group policy applied to the machine? and how do I get this to run against all the machines in Active Directory.
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
****Get all computers using network or IP****
$allcomputers

Check here how to run the script against a whole C-class network. It pings the whole network once and get the script run in those who answered. The logic is here:
https://gallery.technet.microsoft.com/scriptcenter/Process-Killer-for-local-836f5b46


foreach($computer in $computers){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}

Open in new window

0
 
AlanConsultantCommented:
Hi,

I'm inferring that the last command works for you, so to run that one against all computers, try this script:

Import-Module ActiveDirectory

$Computers = Get-ADComputer -Filter *

ForEach($Computer in $Computers){

    Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -ComputerName $Computer
}

Open in new window



Alan.
0
 
A AAuthor Commented:
I was able to pull the info from my machine but its not running against all Devices in AD.

I am getting this error:

Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
0
 
AlanConsultantCommented:
Odd - I would have expected the error to identify which machines had errors (the RPC service not running).

Maybe run against a smaller subset (half each time for example) and try to work out one machine that is having the problem, and then examine it in more detail.

Alan.
0
 
A AAuthor Commented:
sure let me try that.
0
 
A AAuthor Commented:
no luck with the script. Please help.
0
 
AlanConsultantCommented:
Okay - did you manage to narrow it down to any single machine with the error and run it against that machine only?

What happened?  Was the error the same?

Thanks,

Alan.
0
 
A AAuthor Commented:
Get-WinEvent : The RPC server is unavailable
At line:5 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
0
 
A AAuthor Commented:
even this script also give me the same error:

foreach($computer in $computers.name){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}
0
 
AlanConsultantCommented:
But it works on most (or at least some) other machines fine?

If so, there must be a difference in how the machines are configured.

Are you able to check both a problem machine and one that is working, and see if the RPC services are running?

If using PowerShell:

Get-Service -ComputerName MachineNameFailing -Name *RPC*

Get-Service -ComputerName MachineNameWorking -Name *RPC*

Open in new window



Thanks,

Alan.
0
 
A AAuthor Commented:
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameFailing -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameFailing'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameFailing -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameWorking -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameWorking'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameWorking -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
0
 
A AAuthor Commented:
is there any script that I can use in sccm to grab this information?
0
 
A AAuthor Commented:
can I run this using sccm against all the devices?
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Get-Service -ComputerName MachineNameFailing -Name  "NAmeOfThe Service" 

Open in new window


you can't use *NAME* there, to filter you can use the where statement.

Get-Service -ComputerName MachineNameFailing | where{ $_.Name -match "NAME"} 

Open in new window


See the NO "*NAME*" you can use a regular expression there if you want.
0
 
A AAuthor Commented:
I have a list of computers in computers.csv. I am only getting report back for my machine. Am I missing anything in this?

$computers=Import-CSV ".\computers.csv"

Foreach ($computer in $computers){
  $computer
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' | export-csv .\output.txt
}
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Just some details, there's no computer name in the "Wintevent"... so you are asking for the same local computers the number of times of "$computers.count", and you're overwriting the file the same number of times, clearly uneficient
$computers=Import-CSV ".\computers.csv"
$output=@()
Foreach ($computer in $computers){
    $output+=Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer
}

$outpput | export-csv -notypeinformation  .\output.txt

Open in new window

Like this, you will save everything on the output variable and then export it.

And if you want 1 file for each computer I'd do something like


$computers=Import-CSV ".\computers.csv"
Foreach ($computer in $computers){
   Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer | export-csv -notypeinformation  ".\$computer.txt"
}

Open in new window

0
 
A AAuthor Commented:
even if I put the computer name, it doesn't give the report from those computers. it only pulls the report for local machine.
0
 
A AAuthor Commented:
this is the result for the script.


PS C:\>
$computers=Import-CSV ".\computers.csv"
Foreach ($computer in $computers){
   Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer | export-csv -notypeinformation  ".\$computer.txt"
}

Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Well, the error is related to RPC, not to the script itself. That's another post,
Here's the light to that one: https://www.netwrix.com/kb/1291
0
 
A AAuthor Commented:
I have checked those three services running on the machine I am testing this script on. confirmed the IP address, and enabled two local policies. Still the same error.
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
The issue is with the RPC not with the script buddy. Troubleshooting the RPC should be another question.
This question started with one question and it has lead to several things that aren't related to the original question.
So do a correct use of the page and post 1 matter on each question.
0
 
AlanConsultantCommented:
Appears to be the best solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 15
  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now