Create a script to get last 30 days history logon of DC user as service

Dear All,

I would like to check which service using a domain admin account and when did it authenticate and to which server it tried. For example I have SQL reporting server with Domain Admin. The service authenticates when it generates a reports.

I would like to know on which server does this service works (IP of the server), Which user it uses, What kind of Authentication (Kerberos, Nego…etc) and if possible against which DC it authenticated.

I got this script below and it shows me these details (Source Network IP), User, Authentication Type, Date and Time. and this gets generated when the service restarts. The problem is that the script doesn’t bring the group members which I want only instead, it brings everything as you can in the screenshots.

The below screenshots of Exchange Services, I have made a test by assigning the pop service a user called Moe. When running this script on AD (Dc01) it checks the logs and brings me all these details and the IP of Exchange Server (Where the service is running on) and the user its using.

I would appreciate if you could help me adjust the script to let it bring only domain admin users for instance.

Thank you

Get-EventLog -LogName Security -InstanceId 4624 |
  ForEach-Object {
    # translate the raw data into a new object
        Time = $_.TimeGenerated
        User = "{0}\{1}" -f $_.ReplacementStrings[5], $_.ReplacementStrings[6]
        Type = $_.ReplacementStrings[10]
        "Source Network Address" = $_.ReplacementStrings[18]
        Target = $_.ReplacementStrings[19]


Nevermind, I found the solution.

For anyone who would like to use this powershell script in the future I am copying it her


<sup>$DomainAdminList = Get-ADGroupMember -Identity ‘Domain Admins’</sup>
<sup># Get all Domain Controller names</sup>
<sup>$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName</sup>
<sup># EventID</sup>
<sup>$EventID = ‘4624’</sup>
<sup># Get only last 24hrs</sup>
<sup>$Date = (Get-Date).AddDays(-3)</sup>
<sup># Limit log event search for testing as this will take a LONG time on most domains</sup>
<sup># For normal running, this will have to be set to zero</sup>
<sup>$MaxEvent = 100</sup>

<sup># Loop through Dcs</sup>
<sup>$DALogEvents = $DomainControllers | ForEach-Object {</sup>
<sup>$CurDC = $.HostName</sup>
<sup>Write-Host “`nSearching $CurDC logs…”</sup>
<sup>Get-WinEvent -ComputerName $CurDC -FilterHashtable @{Logname=‘Security’;ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`</sup>
<sup>Where-Object { $
.Properties[5].Value -in $DomainAdminList.SamAccountName } |`</sup>
<sup>ForEach-Object {</sup>
<sup>[pscustomobject]@{SourceIP = $.Properties[18].Value; SamAccountName = $.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}</sup>