I am new in Powershell. I am trying to get information for several event IDS regarding account management audit. I know that the script I wrote it's not efficient enough but I dont think it's the issue here. For some reason I don't get the output for event ID 4781 even though I have generated some events and they are shown in EventViewer. For event IDs like 4720,4726,4722 etc I am able to log them normally in an output file, using the same script. Anyone has any clue why?
Currently I am getting Output: Action:User Created Time:31-08-2018 2:55 Who:administrator User:test2
$events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$e.EventID -eq 4781 -or $e.EventID -eq 4720}
$ActivityOutput=foreach ($e in $events) {
if (($e.EventID -eq 4720)){
Write-Output "Action:User Created","Time:$($e.TimeGenerated.ToString("dd-MM-yyyy h:mm"))","Who:$($e.ReplacementStrings[4])","User:$($e.ReplacementStrings[0])"
Write-Output "===============================================`n"
}
if (($e.EventID -eq 4781)){
Write-Output "The name of an Object changed", "Time:$($e.TimeGenerated.ToString("dd-MM-yyyy h:mm"))", "Who:$($e.ReplacementStrings[5])","Old Value:$($e.ReplacementStrings[0])","New Value:$($e.ReplacementStrings[1])"
Write-Output "===============================================`n"
}
} Out-File -Append -FilePath C:\UserTracking.txt -InputObject $ActivityOutput
========= UPDATE 04/09/2018 So it seems that Get-EventLog fetces only some of the EventIDs, this is why I was missing some of them like 4781. I converted to Get-WinEvent and seems that this one fetches all desired EventIDs. Edited Code:
$events=Get-WinEvent -FilterHashtable @{Logname="Security"; StartTime=(get-date).AddDays(-6); ID=4781,4738,4725,4728,4729,4720,4726,4722,4740}
}
$ActivityOutput=foreach ($e in $events) {
# user account was created
if (($e.Id -eq 4720)){
Write-Output "Action:User Created","Time:$($e.TimeCreated.ToString("dd-MM-yyyy h:mm"))",***"Who:$($e.?)","User:$($e.?)"***
}
Now, any help on how to fetch info like Who made the change and on which user, using the Write-Output as it seems above?
in general I shouldn't use the "Get-EventLog" but the "Get-WinEvent".The values for each eventID can be fetched using the $_.Properties[...]
So, ended up with the draft code below, which I will repeat for all the desired EventIDs since I need different values for each one
$EventID=4781,4738,4725,4728,4729,4720,4726,4722,4740
$events=Get-WinEvent -FilterHashtable @{Logname="Security"; StartTime=(get-date).AddDays(-6); ID=EventID}
}
$ActivityOutput=foreach ($e in $events) {
if (($e.Id -eq 4720)){
Write-Output "Action:User Created","Time:$($e.TimeCreated.ToString("dd-MM-yyyy h:mm"))","Who:"$e.Properties[4],"User:"$e.Properties[0]
Write-Output "===============================================`n"
}