I am writing a function to find metadata on user accounts in AD using PowerShell and I would like to add a column to my Out-GridView that shows the Event ID that you would see on Server 2012 when a change is made to that account. I'm running into an issue
though where I am not sure about which Event IDs correspond to a specific PowerShell attribute.
Example: Event ID 4720 - A user account was created. Is this similar to the whenCreated attribute in PowerShell?
Or: Event ID 4781 - The name of an account was changed. Does this relate to when the 'name' or 'DisplayName' attribute is changed?
I've tried looking in the TechNet Library (e.g.- https://technet.microsoft.com/en-us/library/dn319091(v=ws.11).aspx) but have been unsuccessful so far in finding what I am looking for. Does anyone know of a place where I can find this information or
know of a way to find out? My code is below and you can run it on your own system to view the output, but basically what I've come up with is a large If-ElseIf-ElseIf... statement that will be placed/start on line 59 (copy-paste into PS):
If (AttributeName) {"EventID#"} ElseIf (AttributeName2) ... Else{blank}
Here is the full advanced function as I have it so far:
<#
.Synopsis
Used to view basic metadata for a specified user.
.DESCRIPTION
Will display an Out-GridView window of metadata for all attributes of a specified user.
.EXAMPLE
Use a manually entered sAMAccountName value or provide one through the pipeline.
Get-UserMetadata mjw2
.EXAMPLE
Use a manually entered DistinguishedName value or provide one through the pipeline.
Get-UserMetadata CN=Samuels\, Christopher,OU=0260_Computer_Network_Services,OU=030_Energy_Delivery,DC=otpco,DC=com
.INPUTS
This can be input manually or can be passed from the pipeline:
Required: -Identity (DistinguishedName, objectGUID, objectSID, sAMAccountName)
Microsoft.ActiveDirectory.Management.ADObject
This must be input manually:
Optional: -Server ('Name of target server')
.OUTPUTS
An Out-GridView of basic metadata for a specific user.
#>
Function Get-ADUserMetadata {
[CmdletBinding(SupportsShouldProcess=$true,
ConfirmImpact='Low')]
param (
#Provide valid 'Get-ADUser' -Identity value
[Parameter(Mandatory=$true,
Position=0,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$True,
HelpMessage='ADUser objectGUID, objectSID, DistinguishedName, or sAMAccountName')]
[ValidateNotNullOrEmpty()]
[Alias('ObjectGUID','ObjectSID','DistinguishedName','sAMAccountName')]
[string]$Identity,
#Target server for query defaults to 'localhost' if not specified
[string]$Server='localhost',
#Use if you also want to see the groups user is a member of and when they were added
[switch]$MemberOf
)
Begin {
[string]$IdentityParse = Get-ADuser $Identity -Properties distinguishedName | Select-Object distinguishedName
$IdentityParse = $IdentityParse.Replace("@{DistinguishedName=","")
$IdentityParse = $IdentityParse.Replace("}","")
}
Process {
if ($pscmdlet.ShouldProcess("$server", "Get-ADReplicationAttributeMetadata $Identity")) {
}
Get-ADReplicationAttributeMetadata -Object $IdentityParse -Server localhost -ShowAllLinkedValues |
Select-Object LocalChangeUsn, LastOriginatingChangeDirectoryServerIdentity, LastOriginatingChangeUsn, LastOriginatingChangeTime, Version, AttributeName, AttributeValue |
Sort AttributeName |
Out-GridView
If ($MemberOf) {
Get-ADUser $IdentityParse -Properties memberOf |
Select-Object -ExpandProperty memberOf |
ForEach-Object {
Get-ADReplicationAttributeMetadata $_ -Server localhost -ShowAllLinkedValues |
Where-Object {$_.AttributeName -eq 'member' -and
$_.AttributeValue -eq $IdentityParse
} |
Select-Object FirstOriginatingCreateTime, Object, AttributeValue
} |
Sort-Object FirstOriginatingCreateTime -Descending | Out-GridView
}
}
End {
}
}
Let me know if there is any other information you need. I can also provide the list of specific Event IDs that I will only be looking for (~55). I have them typed in a Word Doc if you would like to look at them.
