Hi Guys,
My script is 99% there. I am queering a OU in AD for old admin accounts and finding out if their accounts are used anywhere in our environment before disabling them. The part i am having problems with is filtering the eventlog with where-object using a variable. Bellow in the last line is the variable and bellow that the full script.
Get-EventLog -logname Security -ComputerName $DomainController |
Where-Object -FilterScript {$.EventID -eq 4624 -and
$ .ReplacementStrings[4].Length -gt 10 -and
$.ReplacementStrings[5] -notlike “*$” -and
$ .ReplacementStrings[5] -like “$users.samaccountname”} |
Import-Module ActiveDirectory
$users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=XXX,OU=CLINET,DC=domain,DC=forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp |
Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}}
$date = Get-Date
$LoggedOnUsers = ""
foreach ( $user in $users )
{
$time = ( $date - $user.lastLogonDate ).totalHours
if ( $time -lt 3 ){
$LoggedOnUsers += $user.samaccountname + "`n"
}
}
$LoggedOnUsers
$DomainControllers = (Get-ADDomain).replicadirectoryservers |
where {$_ -like "*AAA*" -or
$_ -like "*BBB*" -or
$_ -like "*CCC*" -and
$_ -notlike "*EXDC*"
}
If ($LoggedOnUsers -eq $null ){
exit
}
else {
$eventList = @()
foreach ($DomainController in $DomainControllers)
{
Get-EventLog -logname Security -ComputerName $DomainController |
Where-Object -FilterScript {$_.EventID -eq 4624 -and
$_.ReplacementStrings[4].Length -gt 10 -and
$_.ReplacementStrings[5] -notlike "*$" -and
$_.ReplacementStrings[5] -like "$users.samaccountname"} |
foreach-Object {
$row = "" |
Select-Object -Property UserName, LoginTime, computer
$row.UserName = $_.ReplacementStrings[5]
$row.LoginTime = $_.TimeGenerated
$row.computer = $_.ReplacementStrings[18]
$eventList += $row
}
}
}
$eventList
Any help would be hugely appreciated.
Alex
daniel
March 11, 2015, 5:24pm
2
Hey Alex,
You’re very close, this should work:
Get-EventLog -logname Security -ComputerName $DomainController |
Where-Object -FilterScript {$_.EventID -eq 4624 -and
$_.ReplacementStrings[4].Length -gt 10 -and
$_.ReplacementStrings[5] -notlike "*$" -and
$_.ReplacementStrings[5] -in $Users.samaccountname}
I’d recommend to filter your events based the InstanceId parameter of the Get-EventLog though, like:
Get-EventLog -logname Security -ComputerName $DomainController -InstanceId 4624 |
Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and
$_.ReplacementStrings[5] -notlike "*$" -and
$_.ReplacementStrings[5] -in $Users.samaccountname}
Thanks Daniël, Ill give those a go and let you know how i go
Hi Daniël, all good thanks for the help. Here is the finished script
$a = "
"
$a += ""
$a += "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
$a += "TH{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}"
$a += "TD{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}"
$a += ""
Import-Module ActiveDirectory
$users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=Client,OU=AAA,DC=Domain,DC=Forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp |
Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}}
$date = Get-Date
$DomainControllers = (Get-ADDomain).replicadirectoryservers |
where {$_ -like "*AAA*" -or
$_ -like "*BBB*" -or
$_ -like "*CCC*" -and
$_ -notlike "*EXDC*"
}
foreach ( $user in $users )
{
$time = ( $date - $user.lastLogonDate ).totalHours
if ( $time -lt 3 ){
$LoggedOnUsers += $user.samaccountname + "`n"
}
}
If ( $LoggedOnUsers -ne $null ) {
$eventList = @()
foreach ($DomainController in $DomainControllers)
{
Get-EventLog -logname Security -ComputerName $DomainController -InstanceId 4624 |
Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and
$_.ReplacementStrings[5] -notlike "*$" -and
$_.ReplacementStrings[5] -in $users.samaccountname} |
foreach-Object {
$row = "" |
Select-Object -Property UserName, LoginTime, computer
$row.UserName = $_.ReplacementStrings[5]
$row.LoginTime = $_.TimeGenerated
$row.computer = $_.ReplacementStrings[18]
$eventList += $row
}
}
$eventList = $eventList | Sort-Object -Property username
$body = $eventList | ConvertTo-HTML -head $a -body "Old Admin accounts $date " | Out-String
$body += "Created from server1"
Send-MailMessage -To emailaddress -Subject "Old Admin accounts $date" -SmtpServer smtpserver -from noreply@email.com -BodyAsHtml $body
}