locked
Get-WinEvent with username, how to convert sid to display name RRS feed

  • Question

  • When i try the below commmand i'm getting the output user list in SID. please let me know how to get the output as normal AD display name / Samaccoount. From GUI i can see normal user ID.

    Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';id=307}  -MaxEvents 1 | ft UserId


    • Edited by Sarathi1012 Monday, October 7, 2019 7:28 PM
    Monday, October 7, 2019 7:15 PM

All replies

  • Convert it to a user name.

    $sid = (Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';id=307}  -MaxEvents 1).UserID
    Get-AdUser $sid


    \_(ツ)_/


    • Edited by jrv Monday, October 7, 2019 7:45 PM
    Monday, October 7, 2019 7:44 PM
  • This one already i tried and getting below error.

    Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.
    At line:1 char:11
    + Get-ADUser <<<<  $sid
        + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser


    Tuesday, October 8, 2019 4:06 AM
  • The code I posted is tested and works. What did you do to break it. Remember that the  name you pass to Get-AdUser must meet some very special conditions.

    Read the help carefully to discover what you have done wrong.

    Read the error message carefully as it shows you your exact error and why it is an error.

    help get-aduser -online


    \_(ツ)_/

    Tuesday, October 8, 2019 4:15 AM
  • Sorry, your script is working fine, only problme when i change the maxevent to more than 1

    $sid = (Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';id=307}  -MaxEvents 10).UserID
    Get-AdUser $sid

    Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.

    At line:1 char:11
    + Get-AdUser <<<<  $sid
        + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    Tuesday, October 8, 2019 4:29 AM
  • There is no need to do that.    Get-Aduser does not need to have a server specified. YOu had to have changed something else. Your result is an array and it can never be an array if you used my code without any changes,


    \_(ツ)_/

    Tuesday, October 8, 2019 4:32 AM
  • Sorry, your script is working fine, only problme when i change the maxevent to more than 1

    $sid = (Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';id=307}  -MaxEvents 10).UserID
    Get-AdUser $sid

    Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.

    At line:1 char:11
    + Get-AdUser <<<<  $sid
        + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    Good.  You will need to enumerate the results to get the users one at a time.


    \_(ツ)_/

    Tuesday, October 8, 2019 4:33 AM
  • Its not just about10 events its more than 300 and i don't how to pull the result in single shot.

    I tired to get complete SID in txt and below script but again no luck.

    $UserNamesList = get-content -path "C:\events.txt"
    foreach ($name in $UserNamesList){
    Get-ADUser -Identity $name | ft name }


    • Edited by Sarathi1012 Tuesday, October 8, 2019 6:51 AM
    Tuesday, October 8, 2019 4:38 AM
  • Hi,

    Thanks for your question.

    What is your error message? Please try to post it for better help.

    Also, please check your text file.

    For example:

    Get-Content c:\events.txt | %{Get-ADUser -Identity $_ }| ft name

    Best regards,

    Lee


    Just do it.


    Tuesday, October 8, 2019 7:41 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 8, 2019 2:13 PM