Pastebin
API
tools
faq
paste
Login
Sign up
Please fix the following errors:
New Paste
Syntax Highlighting
<# .Synopsis Enumerates Logged On Sessions on a give host. .DESCRIPTION Enumerates Logged On Sessions on a give host using WMI. .EXAMPLE Get-AuditLogedOnSessions | where {$_.processes.count -gt 0} Retrieves sessions that have running processes. #> function Get-AuditLogedOnSessions { [CmdletBinding()] Param ( [Parameter(Mandatory=$false)] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory=$false)] [string]$ComputerName = "localhost" ) begin { $loggedsessions = @() $SessionType = @{ 2 = 'Interactive' 3 = 'Network' 4 = 'Batch' 5 = 'Servie' 6 = 'Proxy' 7 = 'Unlock' 8 = 'NetworkCleartext' 9 = 'NewCredentials' 10 = 'Terminal' 11 = 'CachedInteractive' 12 = 'CachedTerminal' 13 = 'CachedUnlock' } } process { $sessions = Get-WmiObject win32_logonsession -Credential $Credential -ComputerName $ComputerName | select -Unique foreach ($session in $sessions) { try{ $account = $session.getrelated('win32_useraccount') if ($account -ne $null) { $loggedsessions += [pscustomobject][ordered]@{Name=$account.Caption SID=$account.SID FullName=$account.fullname Created=[System.Management.ManagementDateTimeConverter]::todatetime($session.StartTime) AuthenticationType=$session.AuthenticationPackage LogonType=$SessionType[[int]$session.LogonType] Processes=$session.GetRelated('win32_process') } } } catch {} } } end {$loggedsessions} } <# .Synopsis Gets a list of Domain Computer accounts and their details using ADSI. .DESCRIPTION Gets a list of Domain coputer accounts and their details using ADSI. If the machine it is ran from is in the domain and no Domain Controller is specified it will run with the privelages of the user. Support the use of alternate user credentials when ran against a domain controller. The host must use the same DNS server to be able to reseolve the hostnames to the proper IPAddress. .EXAMPLE Get-AuditDSComputerAccount -DomainController 192.168.10.10 -Credential (Get-Credential) cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: HostName : DC01.acmelabs.com OperatingSystem : Windows Server 2012 Standard ServicePack : Version : 6.2 (9200) DN : CN=DC01,OU=Domain Controllers,DC=acmelabs,DC=com Created : 1/12/2013 2:08:47 AM LastModified : 9/4/2013 7:07:02 PM IPAddress : {192.168.10.10} HostName : DC02.acmelabs.com OperatingSystem : Windows Server 2008 R2 Enterprise ServicePack : Service Pack 1 Version : 6.1 (7601) DN : CN=DC02,OU=Domain Controllers,DC=acmelabs,DC=com Created : 1/12/2013 2:15:02 AM LastModified : 8/27/2013 9:29:39 AM IPAddress : {192.168.10.12} HostName : WIN701.acmelabs.com OperatingSystem : Windows 7 Enterprise ServicePack : Service Pack 1 Version : 6.1 (7601) DN : CN=WIN701,OU=HR,DC=acmelabs,DC=com Created : 1/12/2013 2:45:21 AM LastModified : 8/26/2013 6:45:50 PM IPAddress : {192.168.10.20} HostName : WIN702.acmelabs.com OperatingSystem : Windows 7 Ultimate ServicePack : Service Pack 1 Version : 6.1 (7601) DN : CN=WIN702,OU=HR,DC=acmelabs,DC=com Created : 1/13/2013 3:27:10 PM LastModified : 8/26/2013 6:42:00 PM IPAddress : {192.168.10.21} HostName : WIN801.acmelabs.com OperatingSystem : Windows 8 Enterprise ServicePack : Version : 6.2 (9200) DN : CN=WIN801,CN=Computers,DC=acmelabs,DC=com Created : 1/13/2013 5:48:57 PM LastModified : 9/5/2013 5:09:25 AM IPAddress : {192.168.10.40} HostName : WIN2K01.acmelabs.com OperatingSystem : Windows Server 2012 Standard ServicePack : Version : 6.2 (9200) DN : CN=WIN2K01,CN=Computers,DC=acmelabs,DC=com Created : 1/14/2013 4:31:58 PM LastModified : 8/25/2013 5:28:07 PM IPAddress : {192.168.10.2} HostName : win2k301.acmelabs.com OperatingSystem : Windows Server 2003 ServicePack : Service Pack 2 Version : 5.2 (3790) DN : CN=WIN2K301,CN=Computers,DC=acmelabs,DC=com Created : 1/18/2013 12:51:59 PM LastModified : 8/15/2013 8:39:43 PM IPAddress : {192.168.10.50} #> function Get-AuditDSComputerAccount { [CmdletBinding()] Param( [Parameter(Mandatory=$false, HelpMessage="Credentials to use when connecting to a Domain Controller.")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory=$false, HelpMessage="Domain controller for Domain and Site that you want to query against.")] [string]$DomainController, [Parameter(Mandatory=$false, HelpMessage="Maximum number of Objects to pull from AD, limit is 1,000 .")] [int]$Limit = 1000, [Parameter(Mandatory=$false, HelpMessage="scope of a search as either a base, one-level, or subtree search, default is subtree.")] [ValidateSet("Subtree","OneLevel","Base")] [string]$SearchScope = "Subtree", [Parameter(Mandatory=$false, HelpMessage="Distinguished Name Path to limit search to.")] [string]$SearchDN ) Begin { if ($DomainController -and $Credential.GetNetworkCredential().Password) { $objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$($DomainController)", $Credential.UserName,$Credential.GetNetworkCredential().Password $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } else { $objDomain = [ADSI]"" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } } Process { $CompFilter = "(&(objectCategory=Computer))" $ObjSearcher.PageSize = $Limit $ObjSearcher.Filter = $CompFilter $ObjSearcher.SearchScope = "Subtree" if ($SearchDN) { $objSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($SearchDN)") } $ObjSearcher.FindAll() | ForEach-Object { $CompProps = [ordered]@{} $CompProps.Add('HostName', "$($_.properties.dnshostname)") $CompProps.Add('OperatingSystem', "$($_.properties.operatingsystem)") $CompProps.Add('ServicePack', "$($_.properties.operatingsystemservicepack)") $CompProps.Add('Version', "$($_.properties.operatingsystemversion)") $CompProps.Add('DN', "$($_.properties.distinguishedname)") $CompProps.Add('Created', [datetime]"$($_.properties.whencreated)") $CompProps.Add('LastModified', [datetime]"$($_.properties.whenchanged)") $CompProps.Add('IPAddress',([System.Net.Dns]::GetHostAddresses("$($_.properties.dnshostname)"))) [pscustomobject]$CompProps } } End { } } <# .Synopsis Gets a list of Domain users and their details using ADSI. .DESCRIPTION Gets a list of Domain users and their details using ADSI. If the machine it is ran from is in the domain and no Domain Controller is specified it will run with the privelages of the user. Support the use of alternate user credentials when ran against a domain controller. .EXAMPLE Get-AuditDSUserAcount -Credential (Get-Credential) -DomainController 192.168.10.10 cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: SAMAccount : Administrator Description : Built-in account for administering the computer/domain UserPrincipal : Administrator@acmelabs.com DN : CN=Administrator,CN=Users,DC=acmelabs,DC=com Created : 1/12/2013 2:06:53 AM LastModified : 9/10/2013 4:00:28 AM PasswordLastSet : 8/20/2013 2:13:07 PM AccountExpires : <Never> LastLogon : 9/14/2013 2:47:43 PM GroupMembership : CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=acmelabs,DC=com CN=Group Policy Creator Owners,CN=Users,DC=acmelabs,DC=com CN=Domain Admins,CN=Users,DC=acmelabs,DC=com CN=Enterprise Admins,CN=Users,DC=acmelabs,DC=com CN=Schema Admins,CN=Users,DC=acmelabs,DC=com CN=Administrators,CN=Builtin,DC=acmelabs,DC=com SID : S-1-5-21-3435989536-2782530369-1314837659-500 SAMAccount : Guest Description : Built-in account for guest access to the computer/domain UserPrincipal : DN : CN=Guest,CN=Users,DC=acmelabs,DC=com Created : 1/12/2013 2:06:53 AM LastModified : 1/12/2013 2:06:53 AM PasswordLastSet : 12/31/1600 8:00:00 PM AccountExpires : <Never> LastLogon : 12/31/1600 8:00:00 PM GroupMembership : CN=Guests,CN=Builtin,DC=acmelabs,DC=com SID : S-1-5-21-3435989536-2782530369-1314837659-501 SAMAccount : krbtgt Description : Key Distribution Center Service Account UserPrincipal : DN : CN=krbtgt,CN=Users,DC=acmelabs,DC=com Created : 1/12/2013 2:08:47 AM LastModified : 3/20/2013 4:38:18 PM PasswordLastSet : 1/11/2013 10:08:47 PM AccountExpires : <Never> LastLogon : 12/31/1600 8:00:00 PM GroupMembership : CN=Denied RODC Password Replication Group,CN=Users,DC=acmelabs,DC=com SID : S-1-5-21-3435989536-2782530369-1314837659-502 SAMAccount : cperez Description : UserPrincipal : cperez@acmelabs.com DN : CN=carlos Perez,CN=Users,DC=acmelabs,DC=com Created : 1/13/2013 9:32:18 PM LastModified : 7/3/2013 1:34:00 AM PasswordLastSet : 1/13/2013 5:32:18 PM AccountExpires : <Never> LastLogon : 6/26/2013 7:24:53 PM GroupMembership : SID : S-1-5-21-3435989536-2782530369-1314837659-1604 #> function Get-AuditDSUserAcount { [CmdletBinding(DefaultParametersetName="Default")] Param( [Parameter(ParameterSetName='Modified')] [Parameter(ParameterSetName='Created')] [Parameter(ParameterSetName='Default')] [Parameter(Mandatory=$false, HelpMessage="Credentials to use when connecting to a Domain Controller.")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(ParameterSetName='Modified')] [Parameter(ParameterSetName='Created')] [Parameter(ParameterSetName='Default')] [Parameter(Mandatory=$false, HelpMessage="Domain controller for Domain and Site that you want to query against.")] [string]$DomainController, [Parameter(ParameterSetName='Modified')] [Parameter(ParameterSetName='Created')] [Parameter(ParameterSetName='Default')] [Parameter(Mandatory=$false, HelpMessage="Maximum number of Objects to pull from AD, limit is 1,000 .")] [int]$Limit = 1000, [Parameter(ParameterSetName='Modified')] [Parameter(ParameterSetName='Created')] [Parameter(ParameterSetName='Default')] [Parameter(Mandatory=$false, HelpMessage="scope of a search as either a base, one-level, or subtree search, default is subtree.")] [ValidateSet("Subtree","OneLevel","Base")] [string]$SearchScope = "Subtree", [Parameter(ParameterSetName='Modified')] [Parameter(ParameterSetName='Created')] [Parameter(ParameterSetName='Default')] [Parameter(Mandatory=$false, HelpMessage="Distinguished Name Path to limit search to.")] [string]$SearchDN, [Parameter(ParameterSetName='Modified', HelpMessage="Date to search for users mofied on or after this date.")] [datetime]$ModifiedAfter, [Parameter(ParameterSetName='Modified', HelpMessage="Date to search for users mofied on or before this date.")] [datetime]$ModifiedBefore, [Parameter(ParameterSetName='Created', HelpMessage="Date to search for users created on or after this date.")] [datetime]$CreatedAfter, [Parameter(ParameterSetName='Created', HelpMessage="Date to search for users created on or after this date.")] [datetime]$CreatedBefore ) Begin { if ($DomainController -and $Credential.GetNetworkCredential().Password) { $objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$($DomainController)", $Credential.UserName,$Credential.GetNetworkCredential().Password $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } else { $objDomain = [ADSI]"" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } } Process { $SAMAccountFilter = "(sAMAccountType=805306368)" # Filter for modification time if ($ModifiedAfter -and $ModifiedBefore) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged>=$($ModifiedAfter.ToString("yyyyMMddhhmmss.sZ")))(whenChanged<=$($ModifiedBefore.ToString("yyyyMMddhhmmss.sZ"))))" } elseif ($ModifiedAfter) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged>=$($ModifiedAfter.ToString("yyyyMMddhhmmss.sZ"))))" } elseif ($ModifiedBefore) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged<=$($ModifiedBefore.ToString("yyyyMMddhhmmss.sZ"))))" } # Fileter for creation time if ($CreatedAfter -and $CreatedBefore) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged>=$($CreatedAfter.ToString("yyyyMMddhhmmss.sZ")))(whenChanged<=$($CreatedBefore.ToString("yyyyMMddhhmmss.sZ"))))" } elseif ($CreatedAfter) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged>=$($CreatedAfter.ToString("yyyyMMddhhmmss.sZ"))))" } elseif ($CreatedBefore) { $SAMAccountFilter = "(&$($SAMAccountFilter)(whenChanged<=$($CreatedBefore.ToString("yyyyMMddhhmmss.sZ"))))" } # Search parameters $ObjSearcher.PageSize = $Limit $ObjSearcher.Filter = $SAMAccountFilter $ObjSearcher.SearchScope = $SearchScope if ($SearchDN) { $objSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($SearchDN)") } $ObjSearcher.FindAll() | ForEach-Object { $UserProps = [ordered]@{} $UserProps.Add('SAMAccount', "$($_.properties.samaccountname)") $UserProps.Add('Description', "$($_.properties.description)") $UserProps.Add('UserPrincipal', "$($_.properties.userprincipalname)") $UserProps.Add('DN', "$($_.properties.distinguishedname)") $UserProps.Add('Created', [dateTime]"$($_.properties.whencreated)") $UserProps.Add('LastModified', [dateTime]"$($_.properties.whenchanged)") $UserProps.Add('PasswordLastSet', [dateTime]::FromFileTime("$($_.properties.pwdlastset)")) $UserProps.Add('AccountExpires',( &{$exval = "$($_.properties.accountexpires)" If (($exval -eq 0) -or ($exval -gt [DateTime]::MaxValue.Ticks)) { $AcctExpires = "<Never>" } Else { $Date = [DateTime]$exval $AcctExpires = $Date.AddYears(1600).ToLocalTime() } $AcctExpires })) $UserProps.Add('LastLogon', [dateTime]::FromFileTime("$($_.properties.lastlogon)")) $UserProps.Add('GroupMembership', "$($_.properties.memberof)") $UserProps.Add('SID', "$(&{$sidobj = [byte[]]"$($_.Properties.objectsid)".split(" ");$sid = new-object System.Security.Principal.SecurityIdentifier $sidobj, 0; $sid.Value})") [pscustomobject]$UserProps } } } <# .Synopsis Gets a list of Domain users and their details using ADSI. .DESCRIPTION Gets a list of Domain users and their details using ADSI. If the machine it is ran from is in the domain and no Domain Controller is specified it will run with the privelages of the user. Support the use of alternate user credentials when ran against a domain controller. .EXAMPLE Get-AuditDSLockedUserAcount -DomainController 192.168.10.10 -Credential (Get-Credential) cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: SAMAccount : lockeduser Description : UserPrincipal : lockeduser@acmelabs.com DN : CN=lockeduser,CN=Users,DC=acmelabs,DC=com Created : 6/27/2013 8:23:20 PM LastModified : 9/15/2013 12:40:13 AM PasswordLastSet : 6/27/2013 4:23:20 PM AccountExpires : <Never> LastLogon : 12/31/1600 8:00:00 PM GroupMembership : SID : S-1-5-21-3435989536-2782530369-1314837659-1614 #> function Get-AuditDSLockedUserAcount { [CmdletBinding()] Param( [Parameter(Mandatory=$false, HelpMessage="Credentials to use when connecting to a Domain Controller.")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory=$false, HelpMessage="Domain controller for Domain and Site that you want to query against.")] [string]$DomainController, [Parameter(Mandatory=$false, HelpMessage="Maximum number of Objects to pull from AD, limit is 1,000 .")] [int]$Limit = 1000, [Parameter(Mandatory=$false, HelpMessage="scope of a search as either a base, one-level, or subtree search, default is subtree.")] [ValidateSet("Subtree","OneLevel","Base")] [string]$SearchScope = "Subtree", [Parameter(Mandatory=$false, HelpMessage="Distinguished Name Path to limit search to.")] [string]$SearchDN ) Begin { if ($DomainController -and $Credential.GetNetworkCredential().Password) { $objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$($DomainController)", $Credential.UserName,$Credential.GetNetworkCredential().Password $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } else { $objDomain = [ADSI]"" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } } Process { $SAMAccountFilter = "(&(sAMAccountType=805306368)(lockoutTime>=1))" $ObjSearcher.PageSize = $Limit $ObjSearcher.Filter = $SAMAccountFilter $ObjSearcher.SearchScope = $SearchScope if ($SearchDN) { $objSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($SearchDN)") } $ObjSearcher.FindAll() | ForEach-Object { $UserProps = [ordered]@{} $UserProps.Add('SAMAccount', "$($_.properties.samaccountname)") $UserProps.Add('Description', "$($_.properties.description)") $UserProps.Add('UserPrincipal', "$($_.properties.userprincipalname)") $UserProps.Add('DN', "$($_.properties.distinguishedname)") $UserProps.Add('Created', [dateTime]"$($_.properties.whencreated)") $UserProps.Add('LastModified', [dateTime]"$($_.properties.whenchanged)") $UserProps.Add('PasswordLastSet', [dateTime]::FromFileTime("$($_.properties.pwdlastset)")) $UserProps.Add('AccountExpires',( &{$exval = "$($_.properties.accountexpires)" If (($exval -eq 0) -or ($exval -gt [DateTime]::MaxValue.Ticks)) { $AcctExpires = "<Never>" } Else { $Date = [DateTime]$exval $AcctExpires = $Date.AddYears(1600).ToLocalTime() } $AcctExpires })) $UserProps.Add('LastLogon', [dateTime]::FromFileTime("$($_.properties.lastlogon)")) $UserProps.Add('GroupMembership', "$($_.properties.memberof)") $UserProps.Add('SID', "$(&{$sidobj = [byte[]]"$($_.Properties.objectsid)".split(" ");$sid = new-object System.Security.Principal.SecurityIdentifier $sidobj, 0; $sid.Value})") [pscustomobject]$UserProps } } } function Get-AuditDSDisabledUserAcount { [CmdletBinding()] Param( [Parameter(Mandatory=$false, HelpMessage="Credentials to use when connecting to a Domain Controller.")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory=$false, HelpMessage="Domain controller for Domain and Site that you want to query against.")] [string]$DomainController, [Parameter(Mandatory=$false, HelpMessage="Maximum number of Objects to pull from AD, limit is 1,000 .")] [int]$Limit = 1000, [Parameter(Mandatory=$false, HelpMessage="scope of a search as either a base, one-level, or subtree search, default is subtree.")] [ValidateSet("Subtree","OneLevel","Base")] [string]$SearchScope = "Subtree", [Parameter(Mandatory=$false, HelpMessage="Distinguished Name Path to limit search to.")] [string]$SearchDN ) Begin { if ($DomainController -and $Credential.GetNetworkCredential().Password) { $objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$($DomainController)", $Credential.UserName,$Credential.GetNetworkCredential().Password $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } else { $objDomain = [ADSI]"" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } } Process { $SAMAccountFilter = "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))" $ObjSearcher.PageSize = $Limit $ObjSearcher.Filter = $SAMAccountFilter $ObjSearcher.SearchScope = $SearchScope if ($SearchDN) { $objSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($SearchDN)") } $ObjSearcher.FindAll() | ForEach-Object { $UserProps = [ordered]@{} $UserProps.Add('SAMAccount', "$($_.properties.samaccountname)") $UserProps.Add('Description', "$($_.properties.description)") $UserProps.Add('UserPrincipal', "$($_.properties.userprincipalname)") $UserProps.Add('DN', "$($_.properties.distinguishedname)") $UserProps.Add('Created', [dateTime]"$($_.properties.whencreated)") $UserProps.Add('LastModified', [dateTime]"$($_.properties.whenchanged)") $UserProps.Add('PasswordLastSet', [dateTime]::FromFileTime("$($_.properties.pwdlastset)")) $UserProps.Add('AccountExpires',( &{$exval = "$($_.properties.accountexpires)" If (($exval -eq 0) -or ($exval -gt [DateTime]::MaxValue.Ticks)) { $AcctExpires = "<Never>" } Else { $Date = [DateTime]$exval $AcctExpires = $Date.AddYears(1600).ToLocalTime() } $AcctExpires })) $UserProps.Add('LastLogon', [dateTime]::FromFileTime("$($_.properties.lastlogon)")) $UserProps.Add('GroupMembership', "$($_.properties.memberof)") $UserProps.Add('SID', "$(&{$sidobj = [byte[]]"$($_.Properties.objectsid)".split(" ");$sid = new-object System.Security.Principal.SecurityIdentifier $sidobj, 0; $sid.Value})") [pscustomobject]$UserProps } } } function Get-AuditDSDeletedAccount { [CmdletBinding()] Param( [Parameter(Mandatory=$false, HelpMessage="Credentials to use when connecting to a Domain Controller.")] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory=$false, HelpMessage="Domain controller for Domain and Site that you want to query against.")] [string]$DomainController, [Parameter(Mandatory=$false, HelpMessage="Maximum number of Objects to pull from AD, limit is 1,000 .")] [int]$Limit = 1000, [Parameter(Mandatory=$false, HelpMessage="scope of a search as either a base, one-level, or subtree search, default is subtree.")] [ValidateSet("Subtree","OneLevel","Base")] [string]$SearchScope = "Subtree", [Parameter(Mandatory=$false, HelpMessage="Distinguished Name Path to limit search to.")] [string]$SearchDN ) Begin { if ($DomainController -and $Credential.GetNetworkCredential().Password) { $objDomain = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$($DomainController)", $Credential.UserName,$Credential.GetNetworkCredential().Password $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } else { $objDomain = [ADSI]"" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objDomain } } Process { $SAMAccountFilter = "(&(objectClass=user)(isDeleted=*))" $ObjSearcher.PageSize = $Limit $ObjSearcher.Filter = $SAMAccountFilter $ObjSearcher.SearchScope = $SearchScope $objSearcher.Tombstone = $true if ($SearchDN) { $objSearcher.SearchDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($SearchDN)") } $ObjSearcher.FindAll() | ForEach-Object { $UserProps = [ordered]@{} $UserProps.Add('SAMAccount', "$($_.properties.samaccountname)") $UserProps.Add('DN', "$($_.properties.distinguishedname)") $UserProps.Add('Created', [dateTime]"$($_.properties.whencreated)") $UserProps.Add('LastModified', [dateTime]"$($_.properties.whenchanged)") $UserProps.Add('PasswordLastSet', [dateTime]::FromFileTime("$($_.properties.pwdlastset)")) $UserProps.Add('LastLogon', [dateTime]::FromFileTime("$($_.properties.lastlogon)")) $UserProps.Add('SID', "$(&{$sidobj = [byte[]]"$($_.Properties.objectsid)".split(" ");$sid = new-object System.Security.Principal.SecurityIdentifier $sidobj, 0; $sid.Value})") $UserProps.Add('LastKnownParent', "$($_.properties.lastknownparent)") [pscustomobject]$UserProps } } } function Get-AuditInstallSoftware { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [string]$ComputerName = $env:COMPUTERNAME ) begin { } Process { # Set initial values $reg = Get-WmiObject -List "StdRegprov" -ComputerName $computername -Credential $Credential $x86SoftInstallKey = "Software\Microsoft\Windows\CurrentVersion\Uninstall" $x64SoftInstallkey = "Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" $data = $reg.EnumKey(2147483650,$x86SoftInstallKey) if ($data.ReturnValue -eq 0) { $x86keys = $data.snames $HKSoftKeys = $reg.EnumKey(2147483650,"SOFTWARE").snames if ($HKSoftKeys -contains "Wow6432Node") { $x64keys = $reg.EnumKey(2147483650,$x64SoftInstallkey).snames } } else { Write-Error "Failed to connect to remote server vial WMI to pull registry information" return } $x86keys | foreach { $sName = ($reg.GetStringValue(2147483650, "$x86SoftInstallKey\$($_)", 'DisplayName')).svalue if ($sName) { $sVersion = ($reg.GetStringValue(2147483650, "$x86SoftInstallKey\$($_)", 'DisplayVersion')).svalue $sInstallDate = ($reg.GetStringValue(2147483650, "$x86SoftInstallKey\$($_)", 'InstallDate')).svalue $sPublisher = ($reg.GetStringValue(2147483650, "$x86SoftInstallKey\$($_)", 'Publisher')).svalue $SoftProps = [ordered]@{Name = $sName; Version = $sVersion; Publisher = $sPublisher; InstallDate = $sInstallDate; PSComputerName = $ComputerName} [pscustomobject]$SoftProps } } if ($x64keys) { $x64keys | foreach { $sName = ($reg.GetStringValue(2147483650, "$x64SoftInstallkey\$($_)", 'DisplayName')).svalue if ($sName) { $sVersion = ($reg.GetStringValue(2147483650, "$x64SoftInstallkey\$($_)", 'DisplayVersion')).svalue $sInstallDate = ($reg.GetStringValue(2147483650, "$x64SoftInstallkey\$($_)", 'InstallDate')).svalue $sPublisher = ($reg.GetStringValue(2147483650, "$x64SoftInstallkey\$($_)", 'Publisher')).svalue $SoftProps = [ordered]@{Name = $sName; Version = $sVersion; Publisher = $sPublisher; InstallDate = $sInstallDate; PSComputerName = $ComputerName} [pscustomobject]$SoftProps } } } } End { } } function Get-AuditPrefechList { [CmdletBinding()] Param( [Parameter(Mandatory=$false)] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [string]$ComputerName = $env:COMPUTERNAME ) $winInfo = (Get-WmiObject -query "SELECT WindowsDirectory from Win32_OperatingSystem" -ComputerName $ComputerName -Credential $Credential).WindowsDirectory.split("\") if ($winInfo) { $pfquery = "SELECT Caption,CreationDate,LastAccessed,LastModified FROM CIM_DataFile WHERE Drive = '$($winInfo[0])' and Path = '\\$($winInfo[1])\\prefetch\\' AND Extension = 'pf'" if ($pfquery) { Get-WmiObject -Query $pfquery -ComputerName $ComputerName -Credential $Credential | ForEach-Object { $pfprops = [ordered]@{ Filename = $_.Caption CreationDate = $_.ConvertToDateTime($_.CreationDate) LastAccessed = $_.ConvertToDateTime($_.LastAccessed) LastModified = $_.ConvertToDateTime($_.LastModified) } [pscustomobject]$pfprops } } else { Write-Warning "Could not find pf files in the prefetch folder." } } else { Write-Warning "Could not connect to WMI on the remote system." } } <# .SYSNOPSIS Retrieves the timestamps for a given file. .DESCRIPTION Retrieves the timestamps for a given file. This not only shows the LastAccess, LastWrite and Creation timestamps, but also shows the Entrie Modified timestamp, which is not viewable just by looking at the properties of a file. .PARAMETER File Name of the file to get timestamps from. .NOTES Name: Get-AuditFileTimeStamp Author: Boe Prox DateCreated: 26 Feb 2013 DateModified: 26 Feb 2013 Version: 1.0 - Initial Creation .LINK http://learn-powershell.net .INPUTS System.String .OUPUTS None .EXAMPLE Get-AuditFileTimeStamp -File 'SystemError.txt' CreationDate : 2/13/2013 7:56:13 AM EntrieModifiedTime : 2/26/2013 8:49:28 AM ModifiedTime : 2/13/2013 7:56:13 AM AccessTime : 2/26/2013 8:48:00 AM FileName : C:\users\Administrator\desktop\SystemError.txt Description ----------- Displays all timestamps for the file SystemError.txt #> Function Get-AuditFileTimeStamp { [cmdletbinding()] Param ( [parameter(ValueFromPipeline = $True)] [string[]]$File ) Begin { #region Debug Information $PSBoundParameters.GetEnumerator() | ForEach { Write-Verbose ("{0}" -f $_) } Write-Verbose ("Using ParameterSetName: {0}" -f $PSCmdlet.ParameterSetName) #endregion Debug Information #region Create reference variables $creationTime = (Get-Date) $lastAccessTime = (Get-Date) $lastWriteTime = (Get-Date) $changeTime = (Get-Date) $errorMsg = $null #endregion Create reference variables } Process { #region Check file name ForEach ($item in $File) { If (-Not ([uri]$item).IsAbsoluteUri) { Write-Verbose ("{0} is not a full path, using current directory: {1}" -f $item,$pwd) $item = (Join-Path $pwd ($item -replace "\.\\","")) } #endregion Check file name #region Get file timestamps $return = [NT]::GetFourFileTimes($item, [ref]$creationTime, [ref]$lastAccessTime, [ref]$lastWriteTime, [ref]$changeTime, [ref]$errorMsg ) If ($return) { If (-Not $errorMsg) { $object = New-Object PSObject -Property @{ FileName = $item CreationDate = $creationTime ModifiedTime = $lastWriteTime AccessTime = $lastAccessTime EntrieModifiedTime = $changeTime } $object.pstypenames.insert(0,'System.File.TimeStamp') Write-Output $object } Else { Write-Warning ("{0}" -f $errorMsg) } } Else { Write-Warning ("An issue occurred querying the timestamp!") } } #endregion Get file timestamps } End {} } <# .SYNOPSIS Retrieves the last write time of the supplied registry key .DESCRIPTION The Registry data that a hive stores in containers are called cells. A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values. Get-RegKeyLastWriteTime retrieves the LastWriteTime through a pointer to the FILETIME structure that receives the time at which the enumerated subkey was last written. Values do not contain a LastWriteTime property, but changes to child values update the parent keys lpftLastWriteTime. The LastWriteTime is updated when a key is created, modified, accessed, or deleted. .PARAMETER ComputerName Computer name to query .PARAMETER Key Root Key to query HKCR - Symbolic link to HKEY_LOCAL_MACHINE \SOFTWARE \Classes. HKCU - Symbolic link to a key under HKEY_USERS representing a user's profile hive. HKLM - Placeholder with no corresponding physical hive. This key contains other keys that are hives. HKU - Placeholder that contains the user-profile hives of logged-on accounts. HKCC - Symbolic link to the key of the current hardware profile .PARAMETER SubKey Registry Key to query .EXAMPLE Get-AuditRegKeyLastWriteTime -ComputerName testwks -Key HKLM -SubKey Software .EXAMPLE Get-AuditRegKeyLastWriteTime -ComputerName testwks1,testwks2 -SubKey Software .EXAMPLE Get-AuditRegKeyLastWriteTime -SubKey Software\Microsoft .EXAMPLE "testwks1","testwks2" | Get-RegKeyLastWriteTime -SubKey Software\Microsoft ` \Windows\CurrentVersion .NOTES NAME: Get-RegKeyLastWriteTime AUTHOR: Shaun Hess VERSION: 1.0 LASTEDIT: 01JUL2011 LICENSE: Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/) .LINK http://www.shaunhess.com #> function Get-AuditRegKeyLastWriteTime { [CmdletBinding()] param( [parameter( ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias("CN","__SERVER","Computer","CNAME")] [string[]]$ComputerName=$env:ComputerName, [string]$Key = "HKLM", [string]$SubKey ) BEGIN { switch ($Key) { "HKCR" { $searchKey = 0x80000000} #HK Classes Root "HKCU" { $searchKey = 0x80000001} #HK Current User "HKLM" { $searchKey = 0x80000002} #HK Local Machine "HKU" { $searchKey = 0x80000003} #HK Users "HKCC" { $searchKey = 0x80000005} #HK Current Config default { "Invalid Key. Use one of the following options: HKCR, HKCU, HKLM, HKU, HKCC"} } $KEYQUERYVALUE = 0x1 $KEYREAD = 0x19 $KEYALLACCESS = 0x3F } PROCESS { foreach($computer in $ComputerName) { $sig0 = @' [DllImport("advapi32.dll", SetLastError = true)] public static extern int RegConnectRegistry( string lpMachineName, int hkey, ref int phkResult); '@ $type0 = Add-Type -MemberDefinition $sig0 -Name Win32Utils -Namespace RegConnectRegistry -Using System.Text -PassThru $sig1 = @' [DllImport("advapi32.dll", CharSet = CharSet.Auto)] public static extern int RegOpenKeyEx( int hKey, string subKey, int ulOptions, int samDesired, out int hkResult); '@ $type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils -Namespace RegOpenKeyEx -Using System.Text -PassThru $sig2 = @' [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")] extern public static int RegEnumKeyEx( int hkey, int index, StringBuilder lpName, ref int lpcbName, int reserved, int lpClass, int lpcbClass, out long lpftLastWriteTime); '@ $type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils -Namespace RegEnumKeyEx -Using System.Text -PassThru $sig3 = @' [DllImport("advapi32.dll", SetLastError=true)] public static extern int RegCloseKey( int hKey); '@ $type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils -Namespace RegCloseKey -Using System.Text -PassThru $hKey = new-object int $hKeyref = new-object int $searchKeyRemote = $type0::RegConnectRegistry($computer, $searchKey, ` [ref]$hKey) $result = $type1::RegOpenKeyEx($hKey, $SubKey, 0, $KEYREAD, ` [ref]$hKeyref) #initialize variables $builder = New-Object System.Text.StringBuilder 1024 $index = 0 $length = [int] 1024 $time = New-Object Long #234 means more info, 0 means success. Either way, keep reading while ( 0,234 -contains $type2::RegEnumKeyEx($hKeyref, $index++, $builder, [ref] $length, $null, $null, $null, [ref] $time) ) { #create output object $o = "" | Select Key, LastWriteTime, ComputerName $o.ComputerName = "$computer" $o.Key = $builder.ToString() # TODO Change to use the time api $o.LastWriteTime = (Get-Date $time).AddYears(1600).AddHours(-4) $o #reinitialize for next time through the loop $length = [int] 1024 $builder = New-Object System.Text.StringBuilder 1024 } $result = $type3::RegCloseKey($hKey); } } }
Optional Paste Settings
Category:
None
Cryptocurrency
Cybersecurity
Fixit
Food
Gaming
Haiku
Help
History
Housing
Jokes
Legal
Money
Movies
Music
Pets
Photo
Science
Software
Source Code
Spirit
Sports
Travel
TV
Writing
Tags:
Syntax Highlighting:
None
Bash
C
C#
C++
CSS
HTML
JSON
Java
JavaScript
Lua
Markdown (PRO members only)
Objective C
PHP
Perl
Python
Ruby
Swift
4CS
6502 ACME Cross Assembler
6502 Kick Assembler
6502 TASM/64TASS
ABAP
AIMMS
ALGOL 68
APT Sources
ARM
ASM (NASM)
ASP
ActionScript
ActionScript 3
Ada
Apache Log
AppleScript
Arduino
Asymptote
AutoIt
Autohotkey
Avisynth
Awk
BASCOM AVR
BNF
BOO
Bash
Basic4GL
Batch
BibTeX
Blitz Basic
Blitz3D
BlitzMax
BrainFuck
C
C (WinAPI)
C Intermediate Language
C for Macs
C#
C++
C++ (WinAPI)
C++ (with Qt extensions)
C: Loadrunner
CAD DCL
CAD Lisp
CFDG
CMake
COBOL
CSS
Ceylon
ChaiScript
Chapel
Clojure
Clone C
Clone C++
CoffeeScript
ColdFusion
Cuesheet
D
DCL
DCPU-16
DCS
DIV
DOT
Dart
Delphi
Delphi Prism (Oxygene)
Diff
E
ECMAScript
EPC
Easytrieve
Eiffel
Email
Erlang
Euphoria
F#
FO Language
Falcon
Filemaker
Formula One
Fortran
FreeBasic
FreeSWITCH
GAMBAS
GDB
GDScript
Game Maker
Genero
Genie
GetText
Go
Godot GLSL
Groovy
GwBasic
HQ9 Plus
HTML
HTML 5
Haskell
Haxe
HicEst
IDL
INI file
INTERCAL
IO
ISPF Panel Definition
Icon
Inno Script
J
JCL
JSON
Java
Java 5
JavaScript
Julia
KSP (Kontakt Script)
KiXtart
Kotlin
LDIF
LLVM
LOL Code
LScript
Latex
Liberty BASIC
Linden Scripting
Lisp
Loco Basic
Logtalk
Lotus Formulas
Lotus Script
Lua
M68000 Assembler
MIX Assembler
MK-61/52
MPASM
MXML
MagikSF
Make
MapBasic
Markdown (PRO members only)
MatLab
Mercury
MetaPost
Modula 2
Modula 3
Motorola 68000 HiSoft Dev
MySQL
Nagios
NetRexx
Nginx
Nim
NullSoft Installer
OCaml
OCaml Brief
Oberon 2
Objeck Programming Langua
Objective C
Octave
Open Object Rexx
OpenBSD PACKET FILTER
OpenGL Shading
Openoffice BASIC
Oracle 11
Oracle 8
Oz
PARI/GP
PCRE
PHP
PHP Brief
PL/I
PL/SQL
POV-Ray
ParaSail
Pascal
Pawn
Per
Perl
Perl 6
Phix
Pic 16
Pike
Pixel Bender
PostScript
PostgreSQL
PowerBuilder
PowerShell
ProFTPd
Progress
Prolog
Properties
ProvideX
Puppet
PureBasic
PyCon
Python
Python for S60
QBasic
QML
R
RBScript
REBOL
REG
RPM Spec
Racket
Rails
Rexx
Robots
Roff Manpage
Ruby
Ruby Gnuplot
Rust
SAS
SCL
SPARK
SPARQL
SQF
SQL
SSH Config
Scala
Scheme
Scilab
SdlBasic
Smalltalk
Smarty
StandardML
StoneScript
SuperCollider
Swift
SystemVerilog
T-SQL
TCL
TeXgraph
Tera Term
TypeScript
TypoScript
UPC
Unicon
UnrealScript
Urbi
VB.NET
VBScript
VHDL
VIM
Vala
Vedit
VeriLog
Visual Pro Log
VisualBasic
VisualFoxPro
WHOIS
WhiteSpace
Winbatch
XBasic
XML
XPP
Xojo
Xorg Config
YAML
YARA
Z80 Assembler
ZXBasic
autoconf
jQuery
mIRC
newLISP
q/kdb+
thinBasic
Paste Expiration:
Never
Burn after read
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Exposure:
Public
Unlisted
Private
Folder:
(members only)
Password
NEW
Enabled
Disabled
Burn after read
NEW
Paste Name / Title:
Create New Paste
Hello
Guest
Sign Up
or
Login
Sign in with Facebook
Sign in with Twitter
Sign in with Google
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Public Pastes
Untitled
15 hours ago | 2.28 KB
GSA NS
19 hours ago | 1.37 KB
WaterFul.m
MatLab | 21 hours ago | 0.42 KB
WaterEmpty.m
MatLab | 21 hours ago | 0.54 KB
Spinning.m
MatLab | 21 hours ago | 0.53 KB
Drying.m
MatLab | 21 hours ago | 0.48 KB
DoorCls.m
MatLab | 21 hours ago | 0.55 KB
Washing.m
MatLab | 21 hours ago | 0.45 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the
Cookies Policy
.
OK, I Understand
Not a member of Pastebin yet?
Sign Up
, it unlocks many cool features!
