none
Save users Powershell transcript in AD for audit purpose RRS feed

  • Question

  • Hi i Need your guidance how to save windows powershell or all kind of powershell transcript output to users AD profile & how can i see them. 
    Monday, July 1, 2019 10:31 AM

All replies

  • Monday, July 1, 2019 10:50 AM
  • The transcripts are saved in the users profile by default.

    Start be reading the documentation for the command.

    help start-transcript -online

    It will explain all of this to you in detail with examples.


    \_(ツ)_/

    Monday, July 1, 2019 11:04 AM
  • Hi Satya1111

    I'm thinking that an easy way is the following :

    ### First Step : Prepare one or several ref. profile : Create the followings .ps1 files
    Microsoft.PowerShell_profile.ps1 and/or
    Microsoft.PowerShellISE_profile.ps1 and/or
    Microsoft.VSCode_profile.ps1
    # it depend if users use powershell console or ISE_Powershell or Visual Studio Code

    # And put it on theses lines

    # Define Current Date ==> use for timestamped the transcript files automatically ==> Change this as you want
    $Date = Get-Date -Format "yyyy-MM-dd-hh-mm-ss"

    # Define the path and the FileName for the transcript file automatically
    $TranscriptFilePath = "C:\My\Path\for\Transcript\TranscriptSession-$Date.log"

    # And now customize the $PsDefaultParameterValues variable
    # One of the multiple Synthax is the following  : $PSDefaultParameterValues['<CmdletName>:<ParameterName>'] = "<DefaultValue>"

    # Ref. : https://learn-powershell.net/2013/12/11/using-psdefaultparametervalues-in-powershell/

    $PSDefaultParameterValues['Start-transcript:Path'] =$TranscriptFilePath

    # At this step you have prepare customized profile files

    #### Second Step - push the profile files on the remote computer
    # A easy way is to use a LogonScript to do this.
    Careful :  
    > Don't forget to create/validate the the destination path on each computer for transcript files
    > The path for current Profiles is : Join-Path -Path $HOME -ChildPath "Documents\WindowsPowerShell"

    With these elements you will be able to create a efficent LogonScript

    Then, when a user is logging on to a computer
    > Logonscript check if the transcript directory exists and create it if necessary
    > logonscript push a (or more) reference profile file (Microsoft.PowerShell_profile.ps1) in the profile path for the current user. It's just a very small file. no network contention to wait

    If you want you can customize some other elements (here an exemple of my current profile)
    # prompt setup
        Function Get-Time { return $(get-date | ForEach-Object { $_.ToLongTimeString() } ) }
        Function prompt {
                # Write the time
                write-host "[" -noNewLine
                write-host $(Get-Time) -foreground yellow -noNewLine
                write-host "] " -noNewLine
                # Write the path
                write-host $($(Get-Location).Path.replace($home, "~").replace("\", "/")) -foreground green -noNewLine
                write-host $(if ($nestedpromptlevel -ge 1) { '>>' }) -noNewLine
                return "> "
            }
    # or Default Location (i.e. c:\temp), default encoding value ($PSDefaultParameterValues['*:Encoding'] = 'utf8'), update-help, update-module, Time to load profile (with measure-command), and many other little things userful or less.
    # Show GUI
        $IPAddress=@(Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.DefaultIpGateway})[0].IPAddress[0]
        $PSVersion=($Host | Select-Object -ExpandProperty Version) -replace '^.+@\s'
        Write-Host "# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" -ForegroundColor Yellow
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++++++++++"
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++  ++++++`tHi $($env:UserName)!"
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "+++  +++++"
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++++  ++++`tComputerName`t`t`t`t" -nonewline; Write-Host $($env:COMPUTERNAME) -ForegroundColor Cyan
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++++  ++++`t IP Address`t`t`t`t`t" -nonewline; Write-Host $IPAddress -ForegroundColor Cyan
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "+++  +++++`tUserName`t`t`t`t" -nonewline; Write-Host $env:UserDomain\$env:UserName -ForegroundColor Cyan
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++      ++`tPowerShell Version `t`t" -nonewline; Write-Host $PSVersion -ForegroundColor Cyan
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++++++++++`tExecutionPolicy `t`t`t" -nonewline; Write-Host $(Get-ExecutionPolicy) -ForegroundColor Cyan
        Write-Host "# + " -ForegroundColor Yellow -nonewline; Write-Host "++++++++++"
        Write-Host "# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++`n" -ForegroundColor Yellow

    Sorry, I can't do short ... too much often. :-)

    Oliv

    Monday, July 1, 2019 12:14 PM