none
Collecting Failed logon via PowerShell RRS feed

  • Question

  • Hi Folks, i found this cool script to collect Failed logons from an individual computer.

    GET-EVENTLOG -Logname Security | where { $_.EntryType -eq 'FailureAudit' } | export-csv C:\Failures.csv

    My question to you, can you recommend a method to collect failed logons from an OU containing all my computers?

    or is there another script i can use... ?

    thanks

    Friday, January 31, 2020 7:53 PM

Answers

  • First use the correct CmdLet as it is faster and returns more usable information:

    Here is how to get the unsuccessful logons in Windows (post-Vista)

    Get-WinEvent @{LogName='Security';ProviderName='Microsoft-Windows-Security-Auditing';ID=4625 }

    The computername is buried in the data so it must be parsed from the XML or the properties. You would then have to get teh computer from AD then check its OU.

    Search the Gallery for scripts that will help you understand how to write this code.

    "Get-EventLog" is deprecated and does not work well with modern Windows.  It is also very slow as it will return 1000s of records that you don't need.


    \_(ツ)_/

    Friday, January 31, 2020 8:48 PM

All replies

  • Hi sidneyll,

    You can use a variable to store the contents of the OU using the Get-ADComputer cmdlet as shown below:

    $ourComputers = Get-ADComputer -Filter * -SearchBase "CN=Workstations, DC=contoso, DC=com"
    
    ForEach($computer in $ourComputers)
    {
    	Get-EventLog Security -ComputerName $computer -InstanceId 4625
    }


    Best regards, Chandler

    Friday, January 31, 2020 8:26 PM
  • First use the correct CmdLet as it is faster and returns more usable information:

    Here is how to get the unsuccessful logons in Windows (post-Vista)

    Get-WinEvent @{LogName='Security';ProviderName='Microsoft-Windows-Security-Auditing';ID=4625 }

    The computername is buried in the data so it must be parsed from the XML or the properties. You would then have to get teh computer from AD then check its OU.

    Search the Gallery for scripts that will help you understand how to write this code.

    "Get-EventLog" is deprecated and does not work well with modern Windows.  It is also very slow as it will return 1000s of records that you don't need.


    \_(ツ)_/

    Friday, January 31, 2020 8:48 PM