none
Trigger Powershell on computer join domain RRS feed

  • Question

  • Hello (sorry for my bad english i am French ...)

    I want to run a powershell script IMMEDIATLY when a computer join the domain

    I know (read) that i can trigger powershell with a new event on the dc for that
    But ... this way mean that i had to read from powershell the "events logs" from time to time for search if the event of join the domain append
    I want to execute my script powershell at the time that the computer is join to the domain, not from time to time ...

    So ... how can i Powershell know (be trigger) IMMEDIATLY when a computer is join to the domain ?

    Thanks !

    Saturday, December 5, 2015 7:40 AM

Answers

  • I have done my script based on this article :

    http://blogs.technet.com/b/wincat/archive/2011/08/25/trigger-a-powershell-script-from-a-windows-event.aspx

    So you can see how you can recover the "event record ID" from the task ...
    And so i got the good id of the evn tho trigger the task (the one who said that the computer is add to the domain ...)

    So i need to use Get-EventLog ...
     Get-WinEvent don't know the "event record ID"

    Get-WinEvent knows more than Get-Eventlog and is much faster and more flexible.

    $event=get-winevent -LogName Security -FilterXPath '*[System[EventRecordID=18484]]'
    $event.Properties[8].Value

    The same method works with events from Get-Event.  Just get the property or string.


    \_(ツ)_/

    • Marked as answer by PatMCT Friday, February 19, 2016 10:03 AM
    Thursday, February 18, 2016 5:34 PM
  • Thanks a lot !!!

    1) I will try YOUR suggestion and give You a reply ... on how it works
    If i can use the EventRecordID in the Get-WinEvent it's sound very goog news !!!

    2) For information, for everyone who folow this post ...
    I have got a reply also (by mail ... not here ...) by the great Ashley McGlone from Microsoft
    (see here http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx)

    Who give me an answer who is working fine :

    $ordi = $event | select @{Name="ordi";Expression={ $_.ReplacementStrings[8] }} | Select-Object -ExpandProperty ordi

    Thanks a lot to him !!!!!!!!!!

    ...

    I answer soon to make a repport about the 
    $event=get-winevent -LogName Security -FilterXPath '*[System[EventRecordID=18484]]'
    $event.Properties[8].Value
    who is suggest here

    Thanks to everybody !
    Great help !!!

    • Marked as answer by PatMCT Friday, February 19, 2016 9:54 AM
    Friday, February 19, 2016 9:07 AM
  • Move-AdObject $event.ReplacementStrings[8] -TargetPath <some container>


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 10:14 AM
    • Marked as answer by PatMCT Friday, February 19, 2016 10:41 AM
    Friday, February 19, 2016 9:54 AM
  • Otra!

    if($event=get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]")
         Move-AdObject $event.Properties[8].Value -TargetPath <some container>
    }else{
          'no records found'
    }


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 10:17 AM
    • Marked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    Friday, February 19, 2016 10:16 AM

All replies

  • What do you want this script to do?  It is likely that there are mechanisms to do what you want that do not require a script.

    \_(ツ)_/

    Saturday, December 5, 2015 7:52 AM
  • Thanks for your answer !

    I want that when a computer account is create in AD in can move it to an OU
    i know i can change the OU where accounts are create by default by it's not ok for me cause there is more one ou to move the computer account. in fact i had to lokk a the namining convention of the computer ... the name include the geographique (physical) site of the computer ... and after i had to move the computer account in the right ou (the ou of the site) for deleguation purposes .....

    The computer are actualy manualy cjoin to the domain and there is no way to use WDS or MDT or some other way ...

    So ... the computer is join ... i check is name ... i move it in the right OU for deleguation purpose
    And i want that a script do that for me when the computer is join (even the deleguation don't work !!)

    Thank for your ideas guys !! 

    Sunday, December 6, 2015 9:41 PM
  • When you join a computer to the domain with PowerShell you can specify the OU that it is placed in.

    See: https://technet.microsoft.com/en-us/library/hh849798.aspx?f=255&MSPPError=-2147217396


    \_(ツ)_/

    Monday, December 7, 2015 3:07 AM
  • Thanks for your answer !!

    Yes ! But ... it's NOT me who join the computer to the domain ...

    So my task is ... to MOVE ... the computer account in the right OU, depending on the name of the computer account (the name include an information code for know what is the good OU for deleguation)

    And i want to do that when the account is created in AD for that the DELEGUATION on the object will be immediatly apply correctly !!

    So ...
    I search for a trigger who can run my script powershell (of moving the computer account) when a computer account is create in AD .....

    Some suggestions ?

    Wednesday, December 9, 2015 11:06 PM
  • Enable auditing and trigger an event log task on the audit event.  This will have to be implemented on all domain controllers.

    \_(ツ)_/

    Thursday, December 10, 2015 2:47 AM
  • Yes ! i see this solution in another post ... but ... again ...
    The powershell code add to read the log from time to time for see if an event as occured no ?
    So i cannot reach my focus to run the powershell code JUST IN THE TIME THAT THE COMPUTER ACCOUNT IS CREATE IN AD ... and not when from time to time i found an event in my logs ....

    So ... another way ?

    But perheaps the creation of the even in the log can IMMEDIATLY trigger my code powershell to run ?
    Is it possible ?

    Thursday, December 10, 2015 4:23 PM
  • Please search and learn how to use event log tasks.

    https://technet.microsoft.com/en-us/library/cc748900.aspx


    \_(ツ)_/

    Friday, December 11, 2015 12:05 AM
  • Yes !

    Seems more right for me ....

    i take a look but it seems that if i mix it with centrilisation of log even it can work for what i need ...

    I make a feedback as soon as i had test it !!
    Thanks 

    Saturday, December 12, 2015 11:35 AM
  • Hello (soory for my bad english i am french)

    So i want to trigger an event (the event 5137 who is the add of a computer to a domain) and then run a script to move this computer added to an specifiq ou

    I had modified the file of the task to return the $eventrecordId of the event

    So in my powershell script, i can get the $eventRecordID who is the unique id of the even who tigger the task

    I use it to get the even

    $event = Get-Eventlog -logname Security -Index $eventRecordID

    And after i want to recover the computer DistinguishName from the $event.message tu use it in a Move-AdObject applet

    I can get the computer DN with

    $ordi = $Event | Select @{ Name="ordi";Expression={ $_.ReplacementStrins[8] } }
    But it's return something as :

    ordi
    ----
    cn=pc,dc=corp,dc=lan

    and i cannot get only : cn=pc,dc=corp,dc=lan (and not with "ordi ----")

    Help please !!

    Thursday, February 18, 2016 8:18 AM
  • $ordi = $Event | Select @{ Name="ordi";Expression={ $_.ReplacementStrins[8] } }

    Spelling!

    $ordi = $Event | Select @{ Name="ordi";Expression={ $_.ReplacementStrings[8] } }

    Also:

    $event = Get-WinEvent -FilterHashTable @{logname='Security';ID=5137} -MaxEvents 1


    \_(ツ)_/

    Thursday, February 18, 2016 1:41 PM
  • Thansk for your answer

    1) Yes ... it was just a bug tipping the code in my request here but all is ok in my code  ...
    I write well { $_.ReplacementStrings[8] } } in my code ... but again it returns me the bloc of data :

    ordi
    ----
    cn=pc,dc=corp,dc=lan

    i mean it return me the texte "ordi" and below the text "----" and below the text "cn=pc,dc=corp,dc=lan"I just want the texte "cn=pc,dc=corp,dc=lan" to use it in a move-ADObject command ...

    So ... how can i get only "cn=pc,dc=corp,dc=lan" and not "ordi ---- cn=pc,dc=corp,dc=lan" ?

    2) $event = Get-WinEvent 
    I can not use the 
    Get-WinEvent applet caus this applet cannot take the  $eventRecordID  as an argument and so i can be sure with this applet to treat the good event (the last event is perhaps not mine event who trigger the task ! somme computer can have joint the domain in the same time ...)

    So for now Get-WinEvent is not good for me ...

    So again HELP !!

    ;-)

    Thursday, February 18, 2016 3:39 PM
  • $event = Get-WinEvent -FilterHashTable @{logname='Security';ID=5137} -MaxEvents 1
    $ordi=$events.ReplacementStrings[8]


    \_(ツ)_/

    Thursday, February 18, 2016 3:45 PM
  • As i said just above  :

    I can not use the Get-WinEvent applet caus this applet cannot take the  $eventRecordID  as an argument and so i can be sure with this applet to treat the good event (the last event is perhaps not mine event who trigger the task ! somme computer can have joint the domain in the same time ...)

    So for now Get-WinEvent is not good for me ...

    So again HELP !!

    ;-)

    Thursday, February 18, 2016 4:06 PM
  • Where are you getting the event record ID from?

    Are you asking about the InstanceID?


    \_(ツ)_/

    Thursday, February 18, 2016 4:19 PM
  • Here is how to get an event record by instance.

    $event=get-winevent -LogName Security -FilterXPath '*[System[EventRecordID=18484]]'
    $event.Properties[8].Value


    \_(ツ)_/


    • Edited by jrv Thursday, February 18, 2016 4:43 PM
    Thursday, February 18, 2016 4:42 PM
  • I have done my script based on this article :

    http://blogs.technet.com/b/wincat/archive/2011/08/25/trigger-a-powershell-script-from-a-windows-event.aspx

    So you can see how you can recover the "event record ID" from the task ...
    And so i got the good id of the evn tho trigger the task (the one who said that the computer is add to the domain ...)

    So i need to use Get-EventLog ...
     Get-WinEvent don't know the "event record ID"

    Thursday, February 18, 2016 4:49 PM
  • I have done my script based on this article :

    http://blogs.technet.com/b/wincat/archive/2011/08/25/trigger-a-powershell-script-from-a-windows-event.aspx

    So you can see how you can recover the "event record ID" from the task ...
    And so i got the good id of the evn tho trigger the task (the one who said that the computer is add to the domain ...)

    So i need to use Get-EventLog ...
     Get-WinEvent don't know the "event record ID"

    Get-WinEvent knows more than Get-Eventlog and is much faster and more flexible.

    $event=get-winevent -LogName Security -FilterXPath '*[System[EventRecordID=18484]]'
    $event.Properties[8].Value

    The same method works with events from Get-Event.  Just get the property or string.


    \_(ツ)_/

    • Marked as answer by PatMCT Friday, February 19, 2016 10:03 AM
    Thursday, February 18, 2016 5:34 PM
  • Thanks a lot !!!

    1) I will try YOUR suggestion and give You a reply ... on how it works
    If i can use the EventRecordID in the Get-WinEvent it's sound very goog news !!!

    2) For information, for everyone who folow this post ...
    I have got a reply also (by mail ... not here ...) by the great Ashley McGlone from Microsoft
    (see here http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx)

    Who give me an answer who is working fine :

    $ordi = $event | select @{Name="ordi";Expression={ $_.ReplacementStrings[8] }} | Select-Object -ExpandProperty ordi

    Thanks a lot to him !!!!!!!!!!

    ...

    I answer soon to make a repport about the 
    $event=get-winevent -LogName Security -FilterXPath '*[System[EventRecordID=18484]]'
    $event.Properties[8].Value
    who is suggest here

    Thanks to everybody !
    Great help !!!

    • Marked as answer by PatMCT Friday, February 19, 2016 9:54 AM
    Friday, February 19, 2016 9:07 AM
  • That is one way but why do so much when you can just do this as I posted above twice.

    $ordi = $event .ReplacementStrings[8]

    No need to take it out then put it back.  Just get it.


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 9:16 AM
    Friday, February 19, 2016 9:16 AM
  • I NEED TO TAKE IT OUT ... (smile !)
    Because i want use the DN of the computer in my next line of code who is a Move-ADObject who move the computer who just join the domain in the right OU (between a lot ... for deleguation requirments !)
    And so ... the Move-ADObjetc require ONLY the DN f the computer (and don't understant the "ordi ----" text before)

    You understand my need ?

    Friday, February 19, 2016 9:51 AM
  • I NEED TO TAKE IT OUT ... (smile !)
    Because i want use the DN of the computer in my next line of code who is a Move-ADObject who move the computer who just join the domain in the right OU (between a lot ... for deleguation requirments !)
    And so ... the Move-ADObjetc require ONLY the DN f the computer (and don't understant the "ordi ----" text before)

    You understand my need ?

    Friday, February 19, 2016 9:51 AM
  • Move-AdObject $event.ReplacementStrings[8] -TargetPath <some container>


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 10:14 AM
    • Marked as answer by PatMCT Friday, February 19, 2016 10:41 AM
    Friday, February 19, 2016 9:54 AM
  • Move-AdObject $event .ReplacementStrings[8] -TargetPath <some container>


    \_(ツ)_/

    Naaaaaaan Mister !

    The type return by  $event .ReplacementStrings[8] is no allow
    See the error code below (the part i put in bold)


    Move-AdObject $event .ReplacementStrings[8] -TargetPath "ou=Tests,dc=corp,dc=lan"
    Move-ADObject : Impossible de lier le paramètre «Identity». Impossible de 
    convertir la valeur «System.Diagnostics.EventLogEntry» du type «System.Diagnost
    ics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/5137» en type «
    Microsoft.ActiveDirectory.Management.ADObject».
    Au caractère Ligne:1 : 15
    + Move-AdObject $event .ReplacementStrings[8] -TargetPath 
    "ou=Tests,dc=corp,dc=lan ...
    +               ~~~~~~
        + CategoryInfo          : InvalidArgument : (:) [Move-ADObject], Parameter 
       BindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveD 
       irectory.Management.Commands.MoveADObject

    But as said i got an answer  (or more) now
    One by JRV (you in a post above) and one by 
    Ashley McGlone
    So Thanks again !

    Friday, February 19, 2016 10:05 AM
  • if($event = Get-Eventlog -logname Security -Index $eventRecordID){
         Move-AdObject $event.ReplacementStrings[8] -TargetPath <some container>
    }else{
         'no records found'
    }


    \_(ツ)_/



    • Edited by jrv Friday, February 19, 2016 10:14 AM
    Friday, February 19, 2016 10:09 AM
  • Move-AdObject $event .ReplacementStrings[8] -TargetPath <some container>


    \_(ツ)_/

    Naaaaaaan Mister !

    The type return by  $event .ReplacementStrings[8] is no allow
    See the error code below (the part i put in bold)


    Move-AdObject $event .ReplacementStrings[8] -TargetPath "ou=Tests,dc=corp,dc=lan"
    Move-ADObject : Impossible de lier le paramètre «Identity». Impossible de 
    convertir la valeur «System.Diagnostics.EventLogEntry» du type «System.Diagnost
    ics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/5137» en type «
    Microsoft.ActiveDirectory.Management.ADObject».
    Au caractère Ligne:1 : 15
    + Move-AdObject $event .ReplacementStrings[8] -TargetPath 
    "ou=Tests,dc=corp,dc=lan ...
    +               ~~~~~~
        + CategoryInfo          : InvalidArgument : (:) [Move-ADObject], Parameter 
       BindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveD 
       irectory.Management.Commands.MoveADObject

    But as said i got an answer  (or more) now
    One by JRV (you in a post above) and one by 
    Ashley McGlone
    So Thanks again !

    There is a space in the variable that shouldn't be there:

     $event   .ReplacementStrings[8]
     $event.ReplacementStrings[8]   <<<-----


    \_(ツ)_/

    Friday, February 19, 2016 10:14 AM
  • Otra!

    if($event=get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]")
         Move-AdObject $event.Properties[8].Value -TargetPath <some container>
    }else{
          'no records found'
    }


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 10:17 AM
    • Marked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    Friday, February 19, 2016 10:16 AM
  • Move-AdObject $event .ReplacementStrings[8] -TargetPath <some container>


    \_(ツ)_/

    Naaaaaaan Mister !

    The type return by  $event .ReplacementStrings[8] is no allow
    See the error code below (the part i put in bold)


    Move-AdObject $event .ReplacementStrings[8] -TargetPath "ou=Tests,dc=corp,dc=lan"
    Move-ADObject : Impossible de lier le paramètre «Identity». Impossible de 
    convertir la valeur «System.Diagnostics.EventLogEntry» du type «System.Diagnost
    ics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/5137» en type «
    Microsoft.ActiveDirectory.Management.ADObject».
    Au caractère Ligne:1 : 15
    + Move-AdObject $event .ReplacementStrings[8] -TargetPath 
    "ou=Tests,dc=corp,dc=lan ...
    +               ~~~~~~
        + CategoryInfo          : InvalidArgument : (:) [Move-ADObject], Parameter 
       BindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveD 
       irectory.Management.Commands.MoveADObject

    But as said i got an answer  (or more) now
    One by JRV (you in a post above) and one by 
    Ashley McGlone
    So Thanks again !

    There is a space in the variable that shouldn't be there:

     $event   .ReplacementStrings[8]
     $event.ReplacementStrings[8]   <<<-----


    \_(ツ)_/

    There is a space in the variable that shouldn't be there:

     $event   .ReplacementStrings[8]
     $event.ReplacementStrings[8]   <<<-----

    Ouupssss ! Sorry !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Yes it works like that too (IN CRE DI BLE !!!)
    So another way .... to do it
    THANKS !!!

    • Marked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    • Unmarked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    Friday, February 19, 2016 10:39 AM
  • Otra!

    if($event=get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]")
         Move-AdObject $event.Properties[8].Value -TargetPath <some container>
    }else{
          'no records found'
    }


    \_(ツ)_/


    ah ah ah ah ah
    I got all the way i can to do this now !!!

    ;-)))

    Thanks again !!!

    • Marked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    • Unmarked as answer by PatMCT Friday, February 19, 2016 10:40 AM
    Friday, February 19, 2016 10:40 AM
  • That is hat I was trying to get you to see.  You do not need all of that "select-object" stuff.  It is not used in this situation.  Just use the variable as it is delivered by the PowerShell objects. "Select-Object" is really designed to be used for much more complex tasks.

    This ---> $event.ReplacementStrings[8]    is a variable.  There is no need to put it into another variable and then take it back out again.  Just use it as it is.


    \_(ツ)_/



    • Edited by jrv Friday, February 19, 2016 10:44 AM
    Friday, February 19, 2016 10:44 AM
  • That is hat I was trying to get you to see.  You do not need all of that "select-object" stuff.  It is not used in this situation.  Just use the variable as it is delivered by the PowerShell objects. "Select-Object" is really designed to be used for much more complex tasks.

    This ---> $event.ReplacementStrings[8]    is a variable.  There is no need to put it into another variable and then take it back out again.  Just use it as it is.


    \_(ツ)_/



    Yes !!!
    That's INCREDIBLE
    I create the problem myself thinking that Powershell was NOT ABLE to process it ... but Powershell CAN !

    So i had the solution without knowing it !
    THANKS FOR OPENING MY EYES !
    ;-)))

    Friday, February 19, 2016 10:48 AM
  • Good luck.  Always assume that PowerShell can do it.

    \_(ツ)_/

    Friday, February 19, 2016 10:50 AM
  • Just on more please

    When i try :
    get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=XXXX]"

    Where XXXX is my eventrecordID number

    It's OK

    But when i try :

    get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]"

    i got an error :

    ... i check that the task return me the good eventRecordID
    Is it just a just a syntaxic problem ?

    Friday, February 19, 2016 12:09 PM
  • It works fine for me. 

    $x=Get-WinEvent -LogName security -MaxEvents 1
    $eventRecordID=$x.RecordID
    get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]"
    What is the exact error?


    \_(ツ)_/


    • Edited by jrv Friday, February 19, 2016 12:16 PM
    Friday, February 19, 2016 12:16 PM
  • SORRY It WORKS

    get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]"

    is ok

    Sorry .........

    Friday, February 19, 2016 12:16 PM
  • It works fine for me. 

    $x=Get-WinEvent -LogName security -MaxEvents 1
    $eventRecordID=$x.RecordID
    get-winevent -LogName Security -FilterXPath "*[System[EventRecordID=$eventRecordId]]"
    What is the exact error?


    \_(ツ)_/


    Sorry !
    It works fine ....

    I had to be more carefull and test more before to post
    All is ok
    Sorry 

    Friday, February 19, 2016 12:37 PM