I have created a custom Module for our Computer Technicians to efficiently get User information from our Active Directory domain. Some functions interact with Active Directory and some query our terminal servers for users, among other things.
I would like to log who is using these functions, and how often. I could create a log function that creates a text file of information, however I was wondering if there is something more efficient with Group Policy.
The topology is there are two Active Directory Domains, Domain A and Domain B. Domain B contains all of the resources we use to support our clients (SQL, terminal servers, Domain Controllers, etc). Domain A is where our technicians work within.
They launch PS from their local machine which from there will auto-import the necessary modules. The functions will query their credentials for Domain B from which the functions will invoke commands with those credentials to do the necessary tasks.
I would like a central location in case I need to see what technician used what specific function on what day. For instance, if they used the function Set-TPADAccountPassword, I want to see who executed the command, on what day, and whose ADaccount they changed.
I ‘believe’ I will need to make a separate log function specific to what I want to record. However I was wondering if there is another, more efficient approach to what I am trying to do.
I believe Start-Transcript and Stop-Transcript can do what you are looking for. Put the Start-Transcript in your begin block and Stop-Transcript in your end block. It should return all the necessary information. Exmaple:
4/19/2019 9:41 AM C:\> Start-Transcript -Path C:\temp\test.log
Transcript started, output file is C:\temp\test.log
4/19/2019 9:41 AM C:\> gci C:\temp
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/19/2019 9:41 AM test
-a---- 4/19/2019 9:41 AM 677 test.log
4/19/2019 9:41 AM C:\> Stop-Transcript
Transcript stopped, output file is C:\temp\test.log
And the output from the log file:
4/19/2019 9:41 AM C:\> Get-Content -Path C:\temp\test.log
**********************
Windows PowerShell transcript start
Start time: 20190419094140
Username: user1
RunAs User: user1
Configuration Name:
Machine: <actual computer name>(Microsoft Windows NT 10.0.17763.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 11432
PSVersion: 5.1.17763.316
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.316
BuildVersion: 10.0.17763.316
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\temp\test.log
4/19/2019 9:41 AM
C:\>
PS>gci C:\temp
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/19/2019 9:41 AM test
-a---- 4/19/2019 9:41 AM 677 test.log
4/19/2019 9:41 AM
C:\>
PS>Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20190419094147
**********************
Regardless of the security and data protection implications and depending on the actual purpose of this data collection you could activate Powershell script block logging on the clients of the technicians and collect these event logs on a central server or forward it to this central server. There you can analyze the collected logs.