Author Posts

March 11, 2015 at 9:42 pm

Hi Guys,

My script is 99% there. I am queering a OU in AD for old admin accounts and finding out if their accounts are used anywhere in our environment before disabling them. The part i am having problems with is filtering the eventlog with where-object using a variable. Bellow in the last line is the variable and bellow that the full script.

Get-EventLog -logname Security -ComputerName $DomainController |
Where-Object -FilterScript {$_.EventID -eq 4624 -and
$_.ReplacementStrings[4].Length -gt 10 -and
$_.ReplacementStrings[5] -notlike "*$" -and
$_.ReplacementStrings[5] -like "$users.samaccountname"} |


Import-Module ActiveDirectory

$users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=XXX,OU=CLINET,DC=domain,DC=forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp | 
         Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}}

$date = Get-Date

$LoggedOnUsers = ""

foreach ( $user in $users )

        { 
    
        $time = ( $date - $user.lastLogonDate ).totalHours
        if ( $time -lt 3 ){
                    
             $LoggedOnUsers += $user.samaccountname + "`n"
        
        }
        
}

$LoggedOnUsers

$DomainControllers = (Get-ADDomain).replicadirectoryservers |
                      where {$_ -like "*AAA*" -or 
                             $_ -like "*BBB*" -or 
                             $_ -like "*CCC*" -and
                             $_ -notlike "*EXDC*"
                      }         

If ($LoggedOnUsers -eq $null ){

exit

}

else {

$eventList = @()
            
    foreach ($DomainController in $DomainControllers) 
    
            {  
                
            Get-EventLog -logname Security -ComputerName $DomainController | 
            Where-Object -FilterScript {$_.EventID -eq 4624 -and 
                                        $_.ReplacementStrings[4].Length -gt 10 -and 
                                        $_.ReplacementStrings[5] -notlike "*$" -and 
                                        $_.ReplacementStrings[5] -like "$users.samaccountname"} | 
            foreach-Object {
                $row = "" | 
                Select-Object -Property UserName, LoginTime, computer
                    
                $row.UserName = $_.ReplacementStrings[5]
                $row.LoginTime = $_.TimeGenerated
                $row.computer = $_.ReplacementStrings[18]
                $eventList += $row
            }

    }
        
} 

$eventList

Any help would be hugely appreciated.

Alex

March 11, 2015 at 10:54 pm

Hey Alex,

You're very close, this should work:

Get-EventLog -logname Security -ComputerName $DomainController | 
            Where-Object -FilterScript {$_.EventID -eq 4624 -and 
                                        $_.ReplacementStrings[4].Length -gt 10 -and 
                                        $_.ReplacementStrings[5] -notlike "*$" -and 
                                        $_.ReplacementStrings[5] -in $Users.samaccountname}

I'd recommend to filter your events based the InstanceId parameter of the Get-EventLog though, like:

Get-EventLog -logname Security -ComputerName $DomainController  -InstanceId 4624 | 
            Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and 
                                        $_.ReplacementStrings[5] -notlike "*$" -and 
                                        $_.ReplacementStrings[5] -in $Users.samaccountname}

March 12, 2015 at 3:58 pm

Thanks Daniël, Ill give those a go and let you know how i go 🙂

March 12, 2015 at 9:28 pm

Hi Daniël, all good thanks for the help. Here is the finished script 🙂






$a = "
AAA pic
" $a += "" $a += "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}" $a += "TH{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}" $a += "TD{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}" $a += "" Import-Module ActiveDirectory $users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=Client,OU=AAA,DC=Domain,DC=Forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp | Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}} $date = Get-Date $DomainControllers = (Get-ADDomain).replicadirectoryservers | where {$_ -like "*AAA*" -or $_ -like "*BBB*" -or $_ -like "*CCC*" -and $_ -notlike "*EXDC*" } foreach ( $user in $users ) { $time = ( $date - $user.lastLogonDate ).totalHours if ( $time -lt 3 ){ $LoggedOnUsers += $user.samaccountname + "`n" } } If ( $LoggedOnUsers -ne $null ) { $eventList = @() foreach ($DomainController in $DomainControllers) { Get-EventLog -logname Security -ComputerName $DomainController -InstanceId 4624 | Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$" -and $_.ReplacementStrings[5] -in $users.samaccountname} | foreach-Object { $row = "" | Select-Object -Property UserName, LoginTime, computer $row.UserName = $_.ReplacementStrings[5] $row.LoginTime = $_.TimeGenerated $row.computer = $_.ReplacementStrings[18] $eventList += $row } } $eventList = $eventList | Sort-Object -Property username $body = $eventList | ConvertTo-HTML -head $a -body "Old Admin accounts $date " | Out-String $body += "Created from server1" Send-MailMessage -To emailaddress -Subject "Old Admin accounts $date" -SmtpServer smtpserver -from noreply@email.com -BodyAsHtml $body }