Home > Enterprise >  Filter get-eventlog by the subjects account name
Filter get-eventlog by the subjects account name

Time:10-06

I've created a little script that runs on our districts domain controllers that sends out an email any time a user is created in AD to our networking team. The script works great, but we want to filter out our MIM system that creates new users every morning based on new student intake and newly hired employees. Here is an example of the event that triggers when our MIM system creates a user.

A user account was created.

Subject:

Security ID:        NSD\srvMIMADMA

Account Name:       srvMIMADMA

Account Domain:     NSD

Logon ID:       0x564EF2A6

New Account:

Security ID:        NSD\student

Account Name:       student

Account Domain:     NSD

Attributes:

SAM Account Name:   student

Display Name:       name, student

User Principal Name:    [email protected]

Home Directory:     -

Home Drive:     -

Script Path:        -

Profile Path:       -

User Workstations:  -

Password Last Set:  <never>

Account Expires:        <never>

Primary Group ID:   513

Allowed To Delegate To: -

Old UAC Value:      0x0

New UAC Value:      0x11

User Account Control:   

    Account Disabled

    'Normal Account' - Enabled

User Parameters:    -

SID History:        -

Logon Hours:        <value not set>

Additional Information:

Privileges      -

Here is the script I am using.

#---Generate email on new ADS account creation---#

$event = get-eventlog -LogName Security -InstanceId "4720" -Newest 1
$EmailBody = $event.Message

if ($event.EntryType -eq "Success" -and $event.UserName -ne "NSD\srvMIMADMA" -and $event.EventID -eq "4720")
{
    $mail = @{
            from        = "[email protected]"
            to          = "[email protected]"
            cc          = @("[email protected]", "[email protected]")
            subject     = "New AD user was created"
            smtpserver  = "10.10.10.10"
            port        = "PORT"
            body        = $EmailBody
            }
    
    Write-host "Sending Email"
    
    Send-MailMessage @mail
}
else
{
    write-host "No error found"
    write-host "Here is the log entry that was inspected:"
    $event
}

I was attempting to use event.UserName to filter out our MIM system, but that looks like its not working because our team got an email for it this morning. Is there a way to filter out events generated by a specific user?

CodePudding user response:

Try this

$event.Message -like "*NSD\srvMIMADMA*"

or

$event.Message -notlike "*NSD\srvMIMADMA*"

instead of

$event.UserName -ne "NSD\srvMIMADMA"

Page link:https//www.codepudding.com/Enterprise/566385.html

Prev:How do I limit/filter the output to the pipeline in powershell?
Next:Making phone calls with PowerShell and ADB for Android via looping through csv
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding