-
-
Save jlawhon/704652bc60b1c0569b6c5e853292dc99 to your computer and use it in GitHub Desktop.
Revisions
-
jdhitsolutions revised this gist
Feb 5, 2021 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,5 +18,9 @@ This function can only retrieve information from the Security eventlog. If you l limit-eventlog -LogName security -ComputerName dom2,dom1 -MaximumSize 1024MB ``` ## Read More This solution is described in more detail at [https://jdhitsolutions.com/blog/powershell/8132/searching-active-directory-logs-with-powershell/](https://jdhitsolutions.com/blog/powershell/8132/searching-active-directory-logs-with-powershell/). *_DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK. IF YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING._* -
Feb 5, 2021 . 3 changed files with 49 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,9 @@ #requires -version 5.1 #requires -module ActiveDirectory #you might need to increase the size of the Security eventlog # limit-eventlog -LogName security -ComputerName dom2,dom1 -MaximumSize 1024MB Function Get-ADUserAudit { [cmdletbinding()] Param( This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ MIT License Copyright (c) 2021 JDH Information Technology Solutions, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,22 @@ # Get-ADUserAudit These files can be used to query the Security eventlog from your domain controllers to find recent user management events. Save the .ps1 and format.ps1xml files in the same folder. You will need to dot source the ps1 file to load the function into your session. ```powershell . c:\<your-path>\get-aduseraudit.ps1 ``` Then you can run a command like this which will query all domain controllers for all user accounts created and deleted in the last 12 hours. ```powershell Get-ADUserAudit -event created,deleted -since (Get-Date).AddHours(-12) ``` This function can only retrieve information from the Security eventlog. If you log is too small, you may only be able to capture recent events. You can increase log size with a command like this: ```powershell limit-eventlog -LogName security -ComputerName dom2,dom1 -MaximumSize 1024MB ``` *_DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK. IF YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING._* -
Feb 5, 2021 . 1 changed file with 6 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,8 +31,8 @@ Function Get-ADUserAudit { #Target is the user account #Subject is the admin who performed the operation $target = "{0}\{1}" -f ($r.Event.EventData.Data.Where({ $_.name -eq 'TargetDomainName'}).'#text'), ($r.Event.EventData.Data.Where({$_.name -eq 'TargetUserName'}).'#text') $admin = "{0}\{1}" -f ($r.Event.EventData.Data.Where({ $_.name -eq 'SubjectDomainName'}).'#text'), ($r.Event.EventData.Data.Where({$_.name -eq 'SubjectUserName'}).'#text') [pscustomobject]@{ Target = $target Administrator = $admin @@ -52,15 +52,15 @@ Function Get-ADUserAudit { $EventIDs = @() Switch ($events) { "Created" { $EventIDs += $adevent.getenumerator().Where({$_.name -match "created"}) } "Deleted" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "deleted"}) } "Enabled" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "enabled"}) } "Disabled" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "disabled"}) } "Changed" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "changed"}) } } #this hashtable filter will be used by Get-WinEvent $filter = @{LogName = 'Security'; ID = 0 ; StartTime = $Since } #parameters to eventually splat to Get-WinEvent $getParams = @{ @@ -110,4 +110,5 @@ Function Get-ADUserAudit { } #close function Update-TypeData -TypeName ADAuditTrail -MemberType ScriptProperty -MemberName TargetCount -Value { $($this.targets).count } -Force #the format file should be in the same folder as this file. Update-FormatData -AppendPath $psscriptroot\adaudittrail.format.ps1xml -
Feb 5, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,113 @@ #you might need to increase the size of the Security eventlog # limit-eventlog -LogName security -ComputerName dom2,dom1 -MaximumSize 1024MB Function Get-ADUserAudit { [cmdletbinding()] Param( [Parameter(Position=0,HelpMessage = "Specify one or more domain controllers to query.")] [ValidateNotNullOrEmpty()] [string[]]$DomainController = (Get-ADDomain).ReplicaDirectoryServers, [Parameter(HelpMessage = "Find all matching user management events since what date and time?")] [Datetime]$Since = (Get-Date).Addhours(-24), [Parameter(HelpMessage = "Select one or more user account events")] [ValidateNotNullOrEmpty()] [ValidateSet("Created","Deleted","Enabled","Disabled","Changed")] [string[]]$Events = "Created", [Parameter(HelpMessage = "Specify an alterate credential")] [PSCredential]$Credential ) Function _getNames { # a private helper function to parse out names from the eventlog message [cmdletbinding()] Param( [Parameter(Mandatory, ValueFromPipeline)] [System.Diagnostics.Eventing.Reader.EventLogRecord]$Data ) Process { #convert the record to XML which makes it easier to parse [xml]$r = $data.toxml() #Target is the user account #Subject is the admin who performed the operation $target = "{0}\{1}" -f ($r.Event.EventData.Data.Where( { $_.name -eq 'TargetDomainName' }).'#text'), ($r.Event.EventData.Data.Where( { $_.name -eq 'TargetUserName' }).'#text') $admin = "{0}\{1}" -f ($r.Event.EventData.Data.Where( { $_.name -eq 'SubjectDomainName' }).'#text'), ($r.Event.EventData.Data.Where( { $_.name -eq 'SubjectUserName' }).'#text') [pscustomobject]@{ Target = $target Administrator = $admin TimeCreated = $data.timeCreated } } #process } # close _getNames # a hashtable of user management event IDs for the Security event log $ADEvent = @{ UserChanged = 4738 UserCreated = 4720 UserDeleted = 4726 UserEnabled = 4722 UserDisabled = 4725 } $EventIDs = @() Switch ($events) { "Created" { $EventIDs += $adevent.getenumerator().Where({$_.name -match "created"}) } "Deleted" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "deleted"}) } "Enabled" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "enabled"}) } "Disabled" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "disabled"}) } "Changed" { $eventIDs += $adevent.getenumerator().Where({$_.name -match "changed"}) } } #this hashtable filter will be used by Get-WinEvent $filter = @{LogName = 'Security'; ID = 0; StartTime = $Since } #parameters to eventually splat to Get-WinEvent $getParams = @{ ErrorAction = "Stop" FilterHashtable = $filter Computername = "" } if ($Credential.UserName) { $getParams.add("Credential",$Credential) } Write-Verbose "Searching for AD log entries since $since" #Searching the Security event log on each domain controller foreach ($dc in $DomainController) { Write-Verbose "Processing $dc" foreach ($evt in $eventIDs) { $filter.ID = $evt.value $getParams.FilterHashtable = $filter $getParams.Computername = $DC Write-Verbose "...Looking for $($evt.name) events" Try { $logs = Get-WinEvent @getParams Write-Verbose "Found $($logs.count) log records" } Catch { Write-Warning "No matching $($evt.name) events $since found on $dc." } if ($logs.count -gt 0) { $names = $logs | _getnames $targets = ($names | Select-Object -Property Target -Unique).target $admins = ($names | Select-Object -Property Administrator -Unique).administrator [pscustomobject]@{ PSTypeName = "ADAuditTrail" DomainController = $dc ID = $evt.Value EventType = $evt.Name LogCount = $logs.count Since = $Since Targets = $targets Administrators = $admins } Remove-Variable -Name logs } } } } #close function Update-TypeData -TypeName ADAuditTrail -MemberType ScriptProperty -MemberName TargetCount -Value { $($this.targets).count } -Force Update-FormatData -AppendPath $psscriptroot\adaudittrail.format.ps1xml This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,51 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- Format type data generated 02/04/2021 08:56:49 by COMPANY\ArtD This file was created using the New-PSFormatXML command that is part of the PSScriptTools module. https://github.com/jdhitsolutions/PSScriptTools --> <Configuration> <ViewDefinitions> <View> <!--Created 02/04/2021 08:56:49 by COMPANY\ArtD--> <Name>default</Name> <ViewSelectedBy> <TypeName>ADAuditTrail</TypeName> </ViewSelectedBy> <GroupBy> <PropertyName>DomainController</PropertyName> <Label>DomainController</Label> </GroupBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <Label>EventType</Label> <PropertyName>EventType</PropertyName> </ListItem> <ListItem> <Label>Since</Label> <PropertyName>Since</PropertyName> </ListItem> <ListItem> <Label>TargetCount</Label> <PropertyName>TargetCount</PropertyName> </ListItem> <ListItem> <Label>Targets</Label> <PropertyName>Targets</PropertyName> </ListItem> <ListItem> <Label>Administrators</Label> <PropertyName>Administrators</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> </ViewDefinitions> </Configuration>