Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function show-progressbar([int]$actual,[int]$full,[string]$status,[string]$Activity)
- {
- $porcentaje=($actual/$full)*100
- if (!$status){
- $status="Searching $actual of $full"
- }
- if (!$Activity){
- $Activity="Getting results"
- }
- Write-Progress -Activity $Activity -status $status -percentComplete $porcentaje
- }
- import-module activedirectory
- $logcompleto=@()
- $logdcs=@()
- $cuentadc=1
- # Creates a new "Events" folder, just in case it doesn't exist.
- New-Item -Name Events -Type directory -Force
- # Levanta todos los DCs
- $dcs=Get-ADDomainController -Filter *
- $dctotal=$dcs.count
- foreach ($dc in $dcs){
- $nombredc=$dc.name
- $NoEvents=$false
- $EventCounter=0
- $show=$true
- $EventType=" "
- # Checking Domain Controller $nombredc - Chequeando disponibilidad.
- $Status="Checking Domain Controller $nombredc ($cuentadc of $dctotal)´
- - Chequeando disponibilidad."
- show-progressbar $cuentadc $dctotal $status
- $online = Test-Connection $nombredc -Quiet -count 1
- if ($online){
- # Checking Domain Controller $nombredc - Getting Events.
- $Status="Checking Domain Controller $nombredc ($cuentadc of ´
- $dctotal) - Getting Events."
- show-progressbar $cuentadc $dctotal $status
- # Get-WinEvent searches the event log, we use -FilterXPath ´
- #to search for specific events.
- # The two relevant EventISDs for this script are:
- # EventID=4740 = user Lockout
- # EventID=4625 = Failed Login
- $logs=(Invoke-Command -computername $nombredc -ScriptBlock ´
- {Get-WinEvent -FilterXPath "*[System[(EventID=4740 or EventID=4625)]]" ´
- -ErrorAction silentlyContinue} )
- if ($logs -eq $null){
- # No events to show
- $NoEvents=$true
- $TotalEvents=0
- }
- if (!$NoEvents){
- $TotalEvents=$logs.count
- foreach ($evento in $logs){
- $EventCounter+=1
- # Checking Domain Controller $nombredc - Total Events
- $Status="Checking Domain Controller $nombredc ´
- ($cuentadc of $dctotal)´
- - Event $EventCounter of $TotalEvents"
- show-progressbar $cuentadc $dctotal $status
- $mensaje=$evento.message
- $hora=$evento.TimeCreated.ToShortTimeString()
- $fecha=$evento.TimeCreated.ToShortDateString()
- $id=$evento.ID
- $datos=$mensaje.Split("`n")
- Switch ($id)
- {
- 4740{
- ## CASE 4740 - User Lockout
- # datos[10] has the username
- $usuario=(($datos[10].split("`t"))[3])
- # datos[13] has the machine where the lockout happened
- $Maquina=(($datos[13].split("`t"))[2])
- $EventType="Lockout"
- ## FIN CASE 4740
- }
- 4625{
- ## CASE 4625 - Login Failure
- ## (Check for errors)
- if ($evento.Providername -eq ´
- "Microsoft-Windows-Security-Auditing"){
- # datos[12] has the username
- $usuario=(($datos[12].split("`t"))[3])
- # datos[25] has the machine where the failed login happened
- $Maquina=(($datos[25].split("`t"))[2])
- $EventType="Bad Login"
- }
- else{
- $show=$false
- }
- ## FIN CASE 4625
- }
- default{
- ## Something went bad.
- $usuario="ERROR"
- $maquina="ERROR"
- $EventType="ERROR"
- }
- }
- if ($show){
- $logcompleto+= $usuario | select-object ´
- @{Expression={$usuario};Label="User"},´
- @{Expression={$maquina};Label="Machine"},´
- @{Expression={$EventType};Label="Event"},´
- @{Expression={$fecha};Label="Date"},´
- @{Expression={$Hora};Label="Time"},´
- @{Expression={$nombredc};Label="DC"}
- }
- }
- }
- }
- else{
- # Is the DC is unavailable
- write-host "The Domain controller $nombredc is OFFLINE" ´
- -backgroundcolor "red" ´
- -ForegroundColor black
- }
- $logDCS+=$cuentadc|select-object ´
- @{Expression={$nombredc};Label="DC"}, ´
- @{Expression={$online};Label="Online"}, ´
- @{Expression={$EventCounter};Label="Evento"}
- $cuentadc+=1
- }
- # Exports the Events log to CSV
- $logcompleto| export-csv ./Events/Log_Bloqueados.csv
- # Exports the DC Availability log to CSV
- $logdcs | export-csv ./Events/log_dcs.csv
- ##Fin
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement