powershell script

Is there a PowerShell script which can query all failed and successful events in Group policy against AD environment? I need that in excel format.
A AAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroCEOCommented:
I don't know any. but I'll share one with you:

Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' |where{ $_.leveldisplayname -ne "information"}

Open in new window


This will look for the Microsoft/Windows/GroupPolicy log (called operational (ws2012r2).
Will find anything doesn't match "information" at the log level. (warnings and errors).

Source: https://social.technet.microsoft.com/Forums/windows/en-US/0a9683ab-096f-4a29-a51a-fa685514e9f7/geteventlog-accessing-applications-ans-servies-logs?forum=winserverpowershell
0
AlanConsultantCommented:
Hi AA,

This command will generate a CSV file that you can open in Excel showing all the Group Policy events over the last 30 days:

Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolicy/Operational'; StartTime=(Get-Date).AddDays(-30)} | Export-CSV C:\Temp\ZZ_WinEvents.csv -NoTypeInformation

Open in new window


If you want to cover a shorter or longer period (limited to how far back your logs go), then change the 30 to whatever duration you want.

Change the destination file path and name as required.


Alan.
0
A AAuthor Commented:
Hi Alan
I am getting this error:

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-GroupPolic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

A AAuthor Commented:
Hi Jose,
I can only see the failed group policy. I also need successful applied policy. and I need this to run again all the devices in AD environment. can you please tell me how its done.

thanks!
0
Jose Gabriel Ortega CastroCEOCommented:
try it like this:
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' 

Open in new window

you'd get a bunch of informational events, but I don't see them as successful, it was seen as informational.
0
A AAuthor Commented:
Now I can see both. Can I see what group policy applied to the machine? and how do I get this to run against all the machines in Active Directory.
0
Jose Gabriel Ortega CastroCEOCommented:
****Get all computers using network or IP****
$allcomputers

Check here how to run the script against a whole C-class network. It pings the whole network once and get the script run in those who answered. The logic is here:
https://gallery.technet.microsoft.com/scriptcenter/Process-Killer-for-local-836f5b46


foreach($computer in $computers){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}

Open in new window

0
AlanConsultantCommented:
Hi,

I'm inferring that the last command works for you, so to run that one against all computers, try this script:

Import-Module ActiveDirectory

$Computers = Get-ADComputer -Filter *

ForEach($Computer in $Computers){

    Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -ComputerName $Computer
}

Open in new window



Alan.
0
A AAuthor Commented:
I was able to pull the info from my machine but its not running against all Devices in AD.

I am getting this error:

Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:14 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
0
AlanConsultantCommented:
Odd - I would have expected the error to identify which machines had errors (the RPC service not running).

Maybe run against a smaller subset (half each time for example) and try to work out one machine that is having the problem, and then examine it in more detail.

Alan.
0
A AAuthor Commented:
sure let me try that.
0
A AAuthor Commented:
no luck with the script. Please help.
0
AlanConsultantCommented:
Okay - did you manage to narrow it down to any single machine with the error and run it against that machine only?

What happened?  Was the error the same?

Thanks,

Alan.
0
A AAuthor Commented:
Get-WinEvent : The RPC server is unavailable
At line:5 char:5
+     Get-WinEvent -ProviderName 'Microsoft-Windows-GroupPolicy'  -Comp ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
0
A AAuthor Commented:
even this script also give me the same error:

foreach($computer in $computers.name){
    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Computername $computer
}
0
AlanConsultantCommented:
But it works on most (or at least some) other machines fine?

If so, there must be a difference in how the machines are configured.

Are you able to check both a problem machine and one that is working, and see if the RPC services are running?

If using PowerShell:

Get-Service -ComputerName MachineNameFailing -Name *RPC*

Get-Service -ComputerName MachineNameWorking -Name *RPC*

Open in new window



Thanks,

Alan.
0
A AAuthor Commented:
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameFailing -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameFailing'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameFailing -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Get-Service -ComputerName MachineNameWorking -Name *RPC*
Get-Service : Cannot open Service Control Manager on computer 'MachineNameWorking'. This operation might require oth
privileges.
At line:1 char:1
+ Get-Service -ComputerName MachineNameWorking -Name *RPC*
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
0
A AAuthor Commented:
is there any script that I can use in sccm to grab this information?
0
A AAuthor Commented:
can I run this using sccm against all the devices?
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'
0
Jose Gabriel Ortega CastroCEOCommented:
Get-Service -ComputerName MachineNameFailing -Name  "NAmeOfThe Service" 

Open in new window


you can't use *NAME* there, to filter you can use the where statement.

Get-Service -ComputerName MachineNameFailing | where{ $_.Name -match "NAME"} 

Open in new window


See the NO "*NAME*" you can use a regular expression there if you want.
0
A AAuthor Commented:
I have a list of computers in computers.csv. I am only getting report back for my machine. Am I missing anything in this?

$computers=Import-CSV ".\computers.csv"

Foreach ($computer in $computers){
  $computer
Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy' | export-csv .\output.txt
}
0
Jose Gabriel Ortega CastroCEOCommented:
Just some details, there's no computer name in the "Wintevent"... so you are asking for the same local computers the number of times of "$computers.count", and you're overwriting the file the same number of times, clearly uneficient
$computers=Import-CSV ".\computers.csv"
$output=@()
Foreach ($computer in $computers){
    $output+=Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer
}

$outpput | export-csv -notypeinformation  .\output.txt

Open in new window

Like this, you will save everything on the output variable and then export it.

And if you want 1 file for each computer I'd do something like


$computers=Import-CSV ".\computers.csv"
Foreach ($computer in $computers){
   Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer | export-csv -notypeinformation  ".\$computer.txt"
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A AAuthor Commented:
even if I put the computer name, it doesn't give the report from those computers. it only pulls the report for local machine.
0
A AAuthor Commented:
this is the result for the script.


PS C:\>
$computers=Import-CSV ".\computers.csv"
Foreach ($computer in $computers){
   Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -ComputerName $computer | export-csv -notypeinformation  ".\$computer.txt"
}

Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
 
Get-WinEvent : The RPC server is unavailable
At line:4 char:4
+    Get-WinEvent -ProviderName 'Microsoft-Windows-grouppolicy'  -Compu ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand
0
Jose Gabriel Ortega CastroCEOCommented:
Well, the error is related to RPC, not to the script itself. That's another post,
Here's the light to that one: https://www.netwrix.com/kb/1291
0
A AAuthor Commented:
I have checked those three services running on the machine I am testing this script on. confirmed the IP address, and enabled two local policies. Still the same error.
0
Jose Gabriel Ortega CastroCEOCommented:
The issue is with the RPC not with the script buddy. Troubleshooting the RPC should be another question.
This question started with one question and it has lead to several things that aren't related to the original question.
So do a correct use of the page and post 1 matter on each question.
0
AlanConsultantCommented:
Appears to be the best solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.