I've created a little script that runs on our districts domain controllers that sends out an email any time a user is created in AD to our networking team. The script works great, but we want to filter out our MIM system that creates new users every morning based on new student intake and newly hired employees. Here is an example of the event that triggers when our MIM system creates a user.
A user account was created.
Subject:
Security ID: NSD\srvMIMADMA
Account Name: srvMIMADMA
Account Domain: NSD
Logon ID: 0x564EF2A6
New Account:
Security ID: NSD\student
Account Name: student
Account Domain: NSD
Attributes:
SAM Account Name: student
Display Name: name, student
User Principal Name: student@email.com
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x11
User Account Control:
Account Disabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
Additional Information:
Privileges -
Here is the script I am using.
#---Generate email on new ADS account creation---#
$event = get-eventlog -LogName Security -InstanceId "4720" -Newest 1
$EmailBody = $event.Message
if ($event.EntryType -eq "Success" -and $event.UserName -ne "NSD\srvMIMADMA" -and $event.EventID -eq "4720")
{
$mail = @{
from = "DomainController@email.org"
to = "me@email.org"
cc = @("coworker1@email.org", "coworker2@email.org")
subject = "New AD user was created"
smtpserver = "10.10.10.10"
port = "PORT"
body = $EmailBody
}
Write-host "Sending Email"
Send-MailMessage @mail
}
else
{
write-host "No error found"
write-host "Here is the log entry that was inspected:"
$event
}
I was attempting to use event.UserName
to filter out our MIM system, but that looks like its not working because our team got an email for it this morning. Is there a way to filter out events generated by a specific user?
Try this
$event.Message -like "*NSD\srvMIMADMA*"
or
$event.Message -notlike "*NSD\srvMIMADMA*"
instead of
$event.UserName -ne "NSD\srvMIMADMA"