PS script generating single alert for multiple windows event ID

Welcome Forums General PowerShell Q&A PS script generating single alert for multiple windows event ID

  • This topic has 5 replies, 4 voices, and was last updated 1 month ago by
    Participant
    .
Viewing 5 reply threads
  • Author
    Posts
    • #264923
      Participant
      Topics: 1
      Replies: 1
      Points: 35
      Rank: Member

      I have created PS script to notify me via email when any account in Active Directory is deleted. I attached script with the relevant EVENT.

      Using ADUC (GUI) on the AD server, If I delete single user account, I receive notification BUT if I try to DELETE TWO users at a time by selecting BOTH User accounts, the script sends two alerts for same user , not for each

      In event viewer I can see each user Event separately. but What I have noticed that maybe dueto same datetime of events, the get-event is getting last event only. If I delete single user one by one, then alerts works fine for each user.

      PS Script:

      • This topic was modified 1 month, 1 week ago by syed.jahanzaib87.
      • This topic was modified 1 month, 1 week ago by grokkit. Reason: code formatting - please read the guide
    • #265058
      Participant
      Topics: 1
      Replies: 55
      Points: 522
      Helping Hand
      Rank: Major Contributor

      Hello syed.jahanzaib87,

      In your code in line #9 you are getting only one last event (-Newest 1), so if you delete two users you will get 2 notifications but for the same user(last) as they were deleted at the same time.

       

      Hope that helps.

    • #265301
      Participant
      Topics: 8
      Replies: 168
      Points: 817
      Helping Hand
      Rank: Major Contributor

      It would appear that if you want notifications for all events that include ones triggered at the same time, you will have to keep track of the time span between the intervals at which you are checking and report back all events in that timespan and forgo limiting your return to just one.

    • #265376
      Participant
      Topics: 1
      Replies: 1
      Points: 35
      Rank: Member

      The script is triggered as soon as particular event id created in event viewer. “Task attached to event”

      I would really appreciate for line of code if possible as I really have not much idea on PS scripting. Thanks

    • #265505
      Participant
      Topics: 9
      Replies: 674
      Points: 2,665
      Helping Hand
      Rank: Community Hero

      Are they both listed in a single event?

    • #266363
      Participant
      Topics: 8
      Replies: 168
      Points: 817
      Helping Hand
      Rank: Major Contributor

      Just thinking out loud … some thoughts.

      Set an Environment Variable of your liking for the user running the script (run sysdm.cpl, advanced, environment variables) to keep track each time the script runs. You can then access that variable from PS using $ENV:Variable. This way, the value is persistent outside the script.

      Then in your code, calculate if the event occurred after the last time run.

      $GetEvent = Get-EventLog -LogName "Security" -InstanceID $EventID -After ([DateTime]$ENV:Variable)

      At the end of the script, store the new date/time.

      $ENV:Variable = Get-Date

Viewing 5 reply threads
  • You must be logged in to reply to this topic.