Powershell prinserver+AD_office

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Виталий Фролов Виталий Фролов 2 years, 1 month ago.

  • Author
    Posts
  • #25850

    Welcome ladies and gentlemen! At the forum a brand new, but I look there are people in the know ... can anyone help?
    The essence of that is the ... wrote a script on powershell, which grabs the opening event print server id = id = 307 and 805. Next there is a problem with samaccountname, which pulled out of the id = 307 priter server, as well of the most active directory was taken the value = office ... and the same log is recorded in accordance with samaccountname. The question ... is it possible to do this and, if not difficult, no one will tell – how ??
    The script:

    $a3 = Measure-Command -Expression {

    $workpath = "C:\parslog\logs\work"

    $logname = "306EV%"
    $logname3 = "805EV%"
    $logname5 = "printlog%"

    $logname1 = [System.Web.HttpUtility]::UrlEncode($logname)
    $logname2 = [System.Web.HttpUtility]::UrlEncode($logname3)
    $logname4 = [System.Web.HttpUtility]::UrlEncode($logname5)

    $Now = [System.DateTime]::Now
    $filedate = $Now.ToString("yyyy.MM.dd_HH mm")

    $out_evt_file = "$workpath\$logname1-$filedate.evtx"
    $out_evt_file1 = "$workpath\$logname2-$filedate.evtx"
    $out_csv_file = "$workpath\$logname1-$filedate.csv"
    $out_csv_file1 = "$workpath\$logname2-$filedate.csv"
    $out_csv_filetogether = "$workpath\$logname5-$filedate.csv"

    #wevtutil.exe cl $logname /BU:$out_evt_file /uni:true
    #wevtutil.exe cl Microsoft-Windows-PrintService/Operational /BU:c:\install\printaudit\work\filedate.evtx /uni:true
    wevtutil.exe Export-Log Microsoft-Windows-PrintService/Operational C:\parslog\logs\work\filedate.evtx /ow:true
    wevtutil.exe Export-Log Microsoft-Windows-PrintService/Operational C:\parslog\logs\work\filedate1.evtx /ow:true

    $query = "*[System[(Level=4 or Level=0) and (EventID=307)]]"
    $query1 = "*[System[(Level=4 or Level=0) and (EventID=805)]]"

    #$Events = wevtutil.exe query-events $out_evt_file /lf:true /q:$query /f:XML /locale:ru /uni:true
    $Events = wevtutil.exe query-events C:\parslog\logs\work\filedate.evtx /c:50/rd:true /lf:true /q:$query /f:XML /locale:ru /uni:true
    $Events2 = wevtutil.exe query-events C:\parslog\logs\work\filedate1.evtx /c:50 /rd:true /lf:true /q:$query1 /f:XML /locale:ru /uni:true

    $Events1=$Events |
    % { [xml]$_ } |
    % {

    if ($_.Event.UserData.DocumentPrinted.Param7 -is [array] ) {
    New-Object PSObject -Property @{

    JobID = $_.Event.UserData.DocumentPrinted.Param1;
    user = $_.Event.UserData.DocumentPrinted.Param3;
    comp = $_.Event.UserData.DocumentPrinted.Param4;
    printer = $_.Event.UserData.DocumentPrinted.Param5;
    port = $_.Event.UserData.DocumentPrinted.Param6;
    kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7[0];
    size = [int]$_.Event.UserData.DocumentPrinted.Param7[1];
    Date = $filedate;
    }
    } else {
    New-Object PSObject -Property @{

    JobID = $_.Event.UserData.DocumentPrinted.Param1;
    user = $_.Event.UserData.DocumentPrinted.Param3;
    comp = $_.Event.UserData.DocumentPrinted.Param4;
    printer = $_.Event.UserData.DocumentPrinted.Param5;
    port = $_.Event.UserData.DocumentPrinted.Param6;
    kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7;
    size = [int]$_.Event.UserData.DocumentPrinted.Param8;
    Date = $filedate;
    }
    }
    }

    $Events1 | export-csv -Path $out_csv_file -NoTypeInformation -Encoding Unicode
    $a3

    }

    $Events3=$Events2|
    % { [xml]$_ } |
    % {
    New-Object PSObject -Property @{
    date = $_.Event.System.TimeCreated.SystemTime;
    # time = $_.Event.System.TimeCreated.SystemTime;
    JobID = $_.Event.UserData.RenderJobDiag.Jobid;
    copies = $_.Event.UserData.RenderJobDiag.Copies;

    }
    }

    $Events3 | export-csv -Path $out_csv_file1 -NoTypeInformation -Encoding Unicode

    $a3
    $hash = @{}
    #Import-CSV $out_csv_file | Foreach {$hash[$_.JobID] = $_.user, $_.comp, $_.printer, $_.size, $_.kolvo_str}
    Import-CSV $out_csv_file | Foreach {$hash[$_.JobID] = $_.user, $_.comp, $_.printer, $_.kolvo_str, $_.size}
    $f2 = Import-CSV $out_csv_file1
    #$f2 | Foreach {if($hash[$_.JobID]) { $obj = "" | Select date, time, user, comp, printer, kolvo_str, size, copies
    $f2 | Foreach {if($hash[$_.JobID]) { $obj = "" | Select date, time, user, comp, printer, size, kolvo_str, copies

    $obj.date = Get-Date $_.date -uformat "%d.%m.%Y"
    $obj.time = Get-Date $_.date -uformat "%H:%M:%S"
    $obj.user = $hash[$_.JobID][0]
    $obj.comp = $hash[$_.JobID][1]
    $obj.printer = $hash[$_.JobID][2]
    #$obj.port = $hash[$_.JobID][3]
    $obj.size = $hash[$_.JobID][3]
    $obj.kolvo_str = $hash[$_.JobID][4]
    $obj.copies= $_.copies
    $obj
    }

    }|Export-CSV -NoType $out_csv_filetogether -Delimiter ";"
    Remove-Item C:\parslog\logs\work\*.evtx -Recurse
    Remove-Item $out_csv_file -Recurse ; Write-Host -f 'green' 'green'
    Remove-Item $out_csv_file1 -Recurse ; Write-Host -f 'blue' 'blue'
    -______________________________________________________

    Here the value of user = $ _. Event.UserData.DocumentPrinted.Param3 (opening event of the 307 print server log) is essentially samaccountname.
    How to put this log is also setting office not quite imagine.
    There are some general idea of ​​what you need to do something like that –
    Set Variable .. something like this –
    Import-Module ActiveDirectory
    $ Z = Get-ADUser -Filter * -SearchBase `'OU = rzkoren, OU = Users, OU = rzkoren, OU = Oren, OU = Regions, DC = rzk, DC = local' -SearchScope` Subtree -Properties samaccountname, office | select samaccountname, office
    It was then as it is tied to variable user = $ _. Event.UserData.DocumentPrinted.Param3 ...
    ... I do not understand how to make that impression with the user, which is essentially samaccountname uploaded to this general print log is also the value of office, directly from AD ..
    Writing in the opening event is as follows:
     
    Document 169, Printing a document owned Rodrigis.VI on Oren-Rodrigis, was printed in the Oren-M525 port oren2-hp5. The size in bytes: 101494. Pages printed: 1. The user action is required.
    Help meeeee pls!

  • #25852
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    A couple of questions:

    [ol]
    [li]Why are you not using Get-WinEvent to get the event log entries? You could probably get information much easier and not have to parse as much.[/li]
    [li]Why are you running two separate queries against the same log? It would be much easier to query query = "*[System[(Level=4 or Level=0) and (EventID=307) or (EventID=805]]" since you are pulling the same information from the events[/li]
    [/ol]

    To answer your question, your can do something like this to get the office information of the user, this code :

    if ($_.Event.UserData.DocumentPrinted.Param7 -is [array] ) {
     New-Object PSObject -Property @{ 
    
    JobID = $_.Event.UserData.DocumentPrinted.Param1;
     user = $_.Event.UserData.DocumentPrinted.Param3;
     comp = $_.Event.UserData.DocumentPrinted.Param4;
     printer = $_.Event.UserData.DocumentPrinted.Param5;
     port = $_.Event.UserData.DocumentPrinted.Param6;
     kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7[0];
     size = [int]$_.Event.UserData.DocumentPrinted.Param7[1];
     Date = $filedate;
     }
     } else {
     New-Object PSObject -Property @{ 
    
    JobID = $_.Event.UserData.DocumentPrinted.Param1;
     user = $_.Event.UserData.DocumentPrinted.Param3;
     comp = $_.Event.UserData.DocumentPrinted.Param4;
     printer = $_.Event.UserData.DocumentPrinted.Param5;
     port = $_.Event.UserData.DocumentPrinted.Param6;
     kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7;
     size = [int]$_.Event.UserData.DocumentPrinted.Param8;
     Date = $filedate;
     }
     }
    

    could be updated like so:

    #There are only 2 params affected if the item is an array, so it's a bit cleaner
    #to convert them to variables and use them in the object creation
    if ($_.Event.UserData.DocumentPrinted.Param7 -is [array] ) {
        $kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7[0]
        $size = [int]$_.Event.UserData.DocumentPrinted.Param7[1]
    }
    else {
        $kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7;
        $size = [int]$_.Event.UserData.DocumentPrinted.Param8;
    }
    
    #To get the office, you can use Get-ADUser and search for the user, pull the Office property and then Expand it to get the contents
     New-Object PSObject -Property @{ 
        JobID = $_.Event.UserData.DocumentPrinted.Param1;
        user = $_.Event.UserData.DocumentPrinted.Param3;
        office = (Get-ADUser -Identity $($_.Event.UserData.DocumentPrinted.Param3) -Properties Office | Select -ExpandProperty Office) 
        comp = $_.Event.UserData.DocumentPrinted.Param4;
        printer = $_.Event.UserData.DocumentPrinted.Param5;
        port = $_.Event.UserData.DocumentPrinted.Param6;
        kolvo_str = $kolvo_str;
        size = $size;
        Date = $filedate;}
    
  • #25860

    [u]Thank you very much! This is, indeed, valuable information![/u]
    Simple and elegant!
    A complete set about the use of Get-winevent:
    I tried to use this, and successfully, but failed to link the two events (307) and (805) into a single file. Although the function is very good, it is helping to set the time interval, which in itself is very convenient. However, if you do not complicate, could you give an example with the function of get-winEvent,
    but the event period to merge the two values 307 and 805 in a single log? From 805 it takes only the value of copies....

You must be logged in to reply to this topic.