Query Event Logs To Discover Active Directory Information

8/13/2015
Hey,ScriptingGuy!HowCanIQueryEventLogstoDiscoverActiveDirectoryInformation?Hey,ScriptingGuy!BlogSiteHomeTechNetBlogs
All About
Windows Server
Cloud Platform
Blogs
Datacenter
Management
Client
Management
Virtualization,
VDI & Remote
Desktop
File & Storage &

High Availability
Windows Server
Management
Identity & Access
Hey, Scripting Guy! Blog

Learn about Windows PowerShell
Hey, Scripting Guy! How Can I Query Event Logs to Discover

Active Directory Information?
ScriptingGuy1
8 Apr 2009 12:11 AM
Hey, Scripting Guy! We have this problem at work. I keep finding groups in Active Directory, and I do not know why
they were created or by whom. I am wondering if there is some way to search Active Directory to see who created a
group. Is there an owner attribute or something that would let me know who created it? If I can find that, I could at least
go ask the turkey why he is going around creating all these strange groups. I mean, they do not even conform to our
naming convention.
MM
Hi MM,
It has been kind of gloomy and rainy all day down here in Charlotte, North Carolina, in the United States. It is one of those
days where you can move from morning to afternoon to evening to night and never tell any difference outside. Come to
think of it, it is getting rather late at night. There wasnt any sunshine at alluntil your email arrived. Querying Active
Directory is a lot of fun. But in this case, it will not help you. We have never been those "if all you have is a hammer"
people. The best course of action for us is to query the event log to find your information.
This week is Event Log Week. We have quite a few good scripts that work with event logs in the Script Center Script
Repository. The Scripting Guide has some good information about querying event logs, managing event logs, and writing
to event logs from a VBScript perspective. These same types of information are covered from a Windows PowerShell
perspective in chapter 3 of the Windows PowerShell Scripting Guide. Over the years, there have been a few Hey, Scripting
Guy! articles on topics such as finding the oldest event in an event log, the newest event in an event log, backing up the
event log to a text file, retrieving audit failures from the event log, or retrieving all failures from the security event log.
There is also the Log Parser 2.2, and we have a number of examples on the Script Center of how to use Log Parser. The
scripts this week are written in Windows PowerShell. If you need help converting VBScript to Windows PowerShell, you
can refer to this conversion guide.
What you need to do is to turn on auditing for account management. By default, account management is not audited, and
on a large and busy network, it could add quite a bit of information to the security log. However, if you are having
problems in this area, it may very well make sense. You can easily use the Group Policy Management Console to edit the
appropriate domain policy as seen here:
After you have enabled auditing, you may want to run the GPUpdate.exe command from within the Windows PowerShell
http://blogs.technet.com/b/heyscriptingguy/archive/2009/04/07/howcaniqueryeventlogstodiscoveractivedirectoryinformation.aspx
1/4
8/13/2015
console to refresh the Group Policy settings on the machine. After you have done that, you may want to create a bogus
user or group to make sure that the policy settings were applied correctly and that it is working as expected. Several event
log entries will be found when the user is created. The first one will be the one where the user is actually created. The
other entries will be related to the password reset and the status of the user account. The accountcreated entry is the one
you are interested in and is shown here:
As you can see in that image, when the user account is created and auditing is enabled, a 4720 event is logged to the
Security log. Using the technique we examined in yesterdays Hey, Scripting Guy! article, we dutifully type in the
following command:
GetEventLogLogNameSecurity|WhereObject{$_.EventIDeq4720}
Rather than being greeted with the appropriate event log entry, we instead are confronted with some kind of bogus error
related to the registry. This is seen here:
The reason for the error is that access to the Security event log requires administrator rights more technically the security
privilege. Windows PowerShell does not bypass security, but is not User Account Control UAC aware. To get around this
problem, we will need to start the Windows PowerShell console as an administrator. Rightclick the icon and then click
Run As Administrator. Now a UAC prompt is generated. We will probably want to modify the query just a bit. The reason
is the size of the Security event log. As seen here, the Security log on my server is set by default to a size of 130
megabytes, and it has more than 260,000 entries in it.
PSC:\>GetEventLogList
Max(K)RetainOverflowActionEntriesLog
20,4800OverwriteAsNeeded2,749Application
15,1680OverwriteAsNeeded979DFSReplication
5120OverwriteAsNeeded1,686DirectoryService
16,3840OverwriteAsNeeded640DNSServer
20,4800OverwriteAsNeeded0HardwareEvents
5127OverwriteOlder0InternetExplorer
20,4800OverwriteAsNeeded0KeyManagementService
131,0720OverwriteAsNeeded261,493Security
20,4800OverwriteAsNeeded14,207System
15,3600OverwriteAsNeeded1,027WindowsPowerShell
It can take a little bit of time to troll through 260,000 entries, and because we are just experimenting, there is no reason to
wait that long. We can limit our search easily by using the newest switch. I first tried limiting it to the first 10 entries, then
the next 20 entries, and finally the newest 100 entries to find the entry for the user I just created. I then realized why the
security event log is so big: It logs all kinds of stuff all the timedoubly so now that we enabled additional auditing. The
2/4
8/13/2015
revised query is shownhere:

PSC:\>GetEventLogLogNameSecurityNewest100|WhereObject{$_.EventID
eq4720}
IndexTimeEntryTypeSourceInstanceIDMessage
282271Apr0221:43SuccessA...MicrosoftWindows...4720Thedes...
The results of the previous command do not tell us a whole lot, but we have found the index number for the event log
entry. We can revise the command, and force it to display all of the data from the entire event log entry. In the new
command you will notice that I had to raise the newest value due to additional logging that takes place behind the
scenes in the event log. We change the WhereObject filter to look for an index value that is equal to 282271. This index
number will be different on your computer because it is specific to my event log. The FormatList cmdlet chooses which
properties to display. I selected all of them by using the asterisk character.
PSC:\>GetEventLogLogNameSecurityNewest200|WhereObject{$_.Indexeq'282271'}|
FormatListProperty*
EventID:4720
MachineName:Berlin.nwtraders.com
Data:{}
Index:282271
Category:(13824)
CategoryNumber:13824
EntryType:SuccessAudit
Message:ThedescriptionforEventID'4720'inSource'MicrosoftW
indowsSecurityAuditing'cannotbefound.Thelocalcomp
utermaynothavethenecessaryregistryinformationorme
ssageDLLfilestodisplaythemessage,oryoumaynothav
epermissiontoaccessthem.Thefollowinginformationis
partoftheevent:'bogus1','NWTRADERS','S1521540299
0443418591389294071161154','S15215402990443418591
38929407116500','administrator','NWTRADERS','0x29e7f'
,'','bogus1','bogus1','bogus1@nwtraders.com','','
','','','','%%1794','%%1794','513','','0x0','
0x15','
%%2080
%%2082
%%2084','','','%%1793'
Source:MicrosoftWindowsSecurityAuditing
ReplacementStrings:{bogus1,NWTRADERS,S1521540299044341859138929407116
1154,S1521540299044341859138929407116500...}
InstanceId:4720
TimeGenerated:4/2/20099:43:04PM
TimeWritten:4/2/20099:43:04PM
UserName:
Site:
Container:
If we look at the message property, we can see the username as well as the person's name and domain that created the
user. The username was bogus1, and the person who created that account was administrator in the NWTraders domain.
We can use this information to our advantage. We now want to search the event log for all entries that are related to this
specific user. We got rid of the newest parameter because we lost count of how many entries have been recently added.
After you know all the entries related to your query have been retrieved, you can press CTRL+C if you wish to stop the
query from running. You will notice that we switched from using the eq equality operator to using the match regular
expression match to find our bogus1 entries. This is because there is a lot of information in the message field, and we
simply want to see if our expression bogus1 is contained within that big field. If it is, we return the default properties
from the entries. This is seenhere:
PSC:\>GetEventLogLogNameSecurity|WhereObject{$_.messagematch'bogus
1'}
282274Apr0221:43SuccessA...MicrosoftWindows...4738Thedes..
One more example before we go. Suppose I only wanted to return the account creation entry for the bogus1 user. This
would entail creating a compound WhereObject filter. To do this, we use the up arrow to retrieve the previous command
avoids additional typing. We go to the end of the previous command, just inside the curly brackets, and add an
additional operatorthe AND operator. Now the part that is confusing for some people we need to repeat the $_
variable because we are still working with the same event record, and we specify the EventID property as we did before.
The revised command is shown here along with the results from thatcommand:
PSC:\>GetEventLogLogNameSecurity|WhereObject{$_.messagematch'bogus
1'AND$_.EventIDeq4720}
3/4
8/13/2015
282271Apr0221:43SuccessA...MicrosoftWindows...4720Thedes...
Well, MM, that is all there is to querying the event log to find information related to user object creation. Remember, for
this to be successful, you need to enable auditing for account management activities. Also as we have seen, this can
generate a substantial amount of additional traffic to your security logs. Therefore, you will in all likelihood need to
increase the size of your security event log, or you will need to back up your event log more frequently. We will look at
these activities tomorrow as Event Log Week continues. Until then, take care.
Ed Wilson and Craig Liebendorfer, Scripting Guys
Tweet
Share
Save this on Delicious
Comments
19 Dec 2011 4:24 PM
Alem
Can you also show to script the audit filters for the application, system and security log settings please?
24 Apr 2012 3:51 PM
Silver
We have multiple DC's, And these changes are only stored in the local security log. So if anyone would make a
change in activedirectory on another domain controller. I wouldnt see it. I therefore wrote a similar script. Except
it gets servers from a text file. For each server it will get the security logs.
However except for it taking quite awhile to get the logs, I have the problem that, when getting logs from a
remote DC, I get SID's instead of usernames.
I would love to know how to get around that.
13 Jul 2012 2:50 PM
Paru
in security event log many events with Event ID 4688 won't be applications started by the user. Most of these
events are generated by background processes and services .how can we differ these events?
4/4

Query Event Logs To Discover Active Directory Information

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Query Event Logs To Discover Active Directory Information

Transféré par

Droits d'auteur :

Formats disponibles

8/13/2015

File & Storage &

Identity & Access

Hey, Scripting Guy! Blog

Hey, Scripting Guy! How Can I Query Event Logs to Discover

8 Apr 2009 12:11 AM

revised query is shownhere:

Ed Wilson and Craig Liebendorfer, Scripting Guys

Save this on Delicious

Vous aimerez peut-être aussi