crysti,
welcome to the forums
First of all - when you post code, error messages, sample data or console output format it as code, please.
Here you can read how that works: Guide to Posting Code.
Now to your challenge … unfortunately the information you’re after are hidden in the “Message” property of the returned object. So you have to do some regex acrobatics to cut them out of the rest of the message body.
Try the following snippet:
$FilterHashTable = @{
LogName = 'Security'
ID = 4720
}
Get-WinEvent -FilterHashtable $FilterHashTable -ComputerName 'TargetedDC' -MaxEvents 30 |
ForEach-Object {
$_.Message -match '(?smi)Account Name:\s*(\S*)\s*[\d\D]*Account Name:\s*(\S*)\s*'
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
SubjectAccountName = $Matches[1]
NewAccountName = $Matches[2]
}
}
Of course you should replace the value ‘TargetedDC’ with the name of the DC you want to query. 