Where-Object -filterscript with variable

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Alex Aymonier Alex Aymonier 1 year, 8 months ago.

  • Author
    Posts
  • #23253
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    Hi Guys,

    My script is 99% there. I am queering a OU in AD for old admin accounts and finding out if their accounts are used anywhere in our environment before disabling them. The part i am having problems with is filtering the eventlog with where-object using a variable. Bellow in the last line is the variable and bellow that the full script.

    Get-EventLog -logname Security -ComputerName $DomainController |
    Where-Object -FilterScript {$_.EventID -eq 4624 -and
    $_.ReplacementStrings[4].Length -gt 10 -and
    $_.ReplacementStrings[5] -notlike "*$" -and
    $_.ReplacementStrings[5] -like "$users.samaccountname"} |

    
    Import-Module ActiveDirectory
    
    $users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=XXX,OU=CLINET,DC=domain,DC=forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp | 
             Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}}
    
    $date = Get-Date
    
    $LoggedOnUsers = ""
    
    foreach ( $user in $users )
    
            { 
        
            $time = ( $date - $user.lastLogonDate ).totalHours
            if ( $time -lt 3 ){
                        
                 $LoggedOnUsers += $user.samaccountname + "`n"
            
            }
            
    }
    
    $LoggedOnUsers
    
    $DomainControllers = (Get-ADDomain).replicadirectoryservers |
                          where {$_ -like "*AAA*" -or 
                                 $_ -like "*BBB*" -or 
                                 $_ -like "*CCC*" -and
                                 $_ -notlike "*EXDC*"
                          }         
    
    If ($LoggedOnUsers -eq $null ){
    
    exit
    
    }
    
    else {
    
    $eventList = @()
                
        foreach ($DomainController in $DomainControllers) 
        
                {  
                    
                Get-EventLog -logname Security -ComputerName $DomainController | 
                Where-Object -FilterScript {$_.EventID -eq 4624 -and 
                                            $_.ReplacementStrings[4].Length -gt 10 -and 
                                            $_.ReplacementStrings[5] -notlike "*$" -and 
                                            $_.ReplacementStrings[5] -like "$users.samaccountname"} | 
                foreach-Object {
                    $row = "" | 
                    Select-Object -Property UserName, LoginTime, computer
                        
                    $row.UserName = $_.ReplacementStrings[5]
                    $row.LoginTime = $_.TimeGenerated
                    $row.computer = $_.ReplacementStrings[18]
                    $eventList += $row
                }
    
        }
            
    } 
    
    $eventList
    
    

    Any help would be hugely appreciated.

    Alex

  • #23254
    Profile photo of Daniël
    Daniël
    Participant

    Hey Alex,

    You're very close, this should work:

    Get-EventLog -logname Security -ComputerName $DomainController | 
                Where-Object -FilterScript {$_.EventID -eq 4624 -and 
                                            $_.ReplacementStrings[4].Length -gt 10 -and 
                                            $_.ReplacementStrings[5] -notlike "*$" -and 
                                            $_.ReplacementStrings[5] -in $Users.samaccountname}
    

    I'd recommend to filter your events based the InstanceId parameter of the Get-EventLog though, like:

    Get-EventLog -logname Security -ComputerName $DomainController  -InstanceId 4624 | 
                Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and 
                                            $_.ReplacementStrings[5] -notlike "*$" -and 
                                            $_.ReplacementStrings[5] -in $Users.samaccountname}
    
  • #23292
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    Thanks Daniël, Ill give those a go and let you know how i go 🙂

  • #23298
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    Hi Daniël, all good thanks for the help. Here is the finished script 🙂

    
    
    
    
    
    $a = "
    AAA pic
    " $a += "" $a += "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}" $a += "TH{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}" $a += "TD{border-width: 1px;padding: 10px;border-style: solid;border-color: black;}" $a += "" Import-Module ActiveDirectory $users = Get-ADUser -Filter * -SearchBase "OU=ToBeDisabledAdminAccounts,OU=AdminAccounts,OU=Client,OU=AAA,DC=Domain,DC=Forrest,DC=local" -ResultPageSize 0 -Prop CN,samaccountname,lastLogonTimestamp | Select CN,samaccountname,@{n="lastLogonDate";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}} $date = Get-Date $DomainControllers = (Get-ADDomain).replicadirectoryservers | where {$_ -like "*AAA*" -or $_ -like "*BBB*" -or $_ -like "*CCC*" -and $_ -notlike "*EXDC*" } foreach ( $user in $users ) { $time = ( $date - $user.lastLogonDate ).totalHours if ( $time -lt 3 ){ $LoggedOnUsers += $user.samaccountname + "`n" } } If ( $LoggedOnUsers -ne $null ) { $eventList = @() foreach ($DomainController in $DomainControllers) { Get-EventLog -logname Security -ComputerName $DomainController -InstanceId 4624 | Where-Object -FilterScript {$_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$" -and $_.ReplacementStrings[5] -in $users.samaccountname} | foreach-Object { $row = "" | Select-Object -Property UserName, LoginTime, computer $row.UserName = $_.ReplacementStrings[5] $row.LoginTime = $_.TimeGenerated $row.computer = $_.ReplacementStrings[18] $eventList += $row } } $eventList = $eventList | Sort-Object -Property username $body = $eventList | ConvertTo-HTML -head $a -body "Old Admin accounts $date " | Out-String $body += "Created from server1" Send-MailMessage -To emailaddress -Subject "Old Admin accounts $date" -SmtpServer smtpserver -from noreply@email.com -BodyAsHtml $body }

You must be logged in to reply to this topic.