asked on

PowerShell showing different result with event log

Dear all experts,

I run the following command in PowerShell and would like to obtain the security log details,

Get-EventLog -LogName Security -InstanceId 4662

however, I found that the result is not same as the event log, Object name in PowerShell result becomes a SID but in event log it is showing the full DN of the object.

Is there anyway to convert the SID to DN in PowerShell.

3.PNG

Alex

Yes there is

$objSID = New-Object System.Security.Principal.SecurityIdentifier ` 
("ENTER-SID-HERE") 
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) 
$objUser.Value

Open in new window

If it's a local user

$objUser = New-Object System.Security.Principal.NTAccount("LOCAL_USER_NAME") 
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) 
$strSID.Value

Open in new window

Run that with the local usernames and then match up the SID.

Tom Wong

ASKER

Hi Alex,

How can I convert Object Name: {3a9dc152-f760-4995-80a7-1358cddf6ba3} to CN=LAB3-WS01,OU=Desktops,OU=Devices,OU=SLAM,DC=lab,DC=local

ASKER CERTIFIED SOLUTION

oBdA

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Tom Wong

ASKER

Hi oBdA,

Many thanks from your script and it is working. Just want to ask one more thing, is it possible to filter it by ObjectType in side the event log?

When I run the script, it is showing a lot of event related to event ID 4662, however some of it containing "DomainDNS" which is not include in my scope of result and I would like to filter it.

SOLUTION

oBdA

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Tom Wong

ASKER

Thanks oBda, it works!