Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
login failed attempt powershell script RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Guys,

    I need your help. I need powershell script to get login attempt report into csv file. is there any script ?

    Thanks in advanced 

    I have made this script but i don't know where and what am i missing in this script, It is not working:-



    #>

Param(
    [array]$ServersToQuery = (hostname),
    [datetime]$StartTime = "January 1, 1970"
)

    foreach ($Server in $ServersToQuery) {

        $LogFilter = @{
            LogName = 'Security'
            ID = 4625, 644, 681, 529
            StartTime = $StartTime
            }

        $AllEntries = Get-WinEvent -LogName "Security" -FilterHashtable $LogFilter -ComputerName $Server

        $AllEntries | Foreach { 
            $entry = [xml]$_.ToXml()
            [array]$Output += New-Object PSObject -Property @{
                TimeCreated = $_.TimeCreated
                Computer = $entry.Event.EventData.SubjectUserName
                User = $entry.Event.EventData.TargetDomainName
                logontype = $entry.Event.EventData.LogonType
                IPAddress = $entry.Event.EventData.IpAddress
                EventID = $entry.Event.System.EventID
                ServerName = $Server
                }       
            } 

    }

    $FilteredOutput += $Output | Select TimeCreated, Computer, User, logontype, IPAddress, ServerName @{Name='Action';Expression={
                if ($_.EventID -eq '4625'){"Unknown user name or Bad password"}
                if ($_.EventID -eq '529'){"Unknown user name or Bad password"}
                if ($_.EventID -eq '644'){"User Account Locked Out"}
                if ($_.EventID -eq '681'){"The logon to account: %2 by: %1 from workstation: %3 failed"}
                }
            }

    $FilePath = "$env:C:\RDP_Report.csv"
    $FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

Write-host "Writing File: $FilePath" -ForegroundColor Cyan
Write-host "Done!" -ForegroundColor Cyan


#End

    When i run this script it is giving following error:-

    I am not good in powershell. it is just copy from another script, and edit the event log and other information.

    Original script is here :-

    https://gallery.technet.microsoft.com/scriptcenter/Remote-Desktop-Connection-3fe225cd

    • Edited by Barinder Singh1989 Saturday, December 15, 2018 8:26 PM
    • Moved by Bill_Stewart Friday, March 15, 2019 3:13 PM This is not "fix/debug/rewrite my script for me" forum
    Saturday, December 15, 2018 7:30 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Please  look in the Gallery for scripts that do this.  You appear to have copied a script.  You also have not told us what errors you are receiving.

    When posting code in the forum you must use the code posting tool provided to prevent unreadable posts and to make the script available for copying.  Edit your original post and fix this.

    \_(ツ)_/

    Saturday, December 15, 2018 8:12 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You cannot use both "Logname" parameter and the same in the hash.

    Start simple.  Run each line of the code in the loop until you understand how it works.  After you understand the code then you can add the loop and eventually create the PS1 file.

    \_(ツ)_/

    Saturday, December 15, 2018 8:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You cannot use both "Logname" parameter and the same in the hash.

    Start simple.  Run each line of the code in the loop until you understand how it works.  After you understand the code then you can add the loop and eventually create the PS1 file.

    \_(ツ)_/

    Thanks for you response. I have added the error log. I am not good in powershell. It is just copy From another script. Afterr verify data, i have edit logs information and changes the event ID. 

    The Original Script is here :-

    https://gallery.technet.microsoft.com/scriptcenter/Remote-Desktop-Connection-3fe225cd

    It is working well to get RDP logs. I just change event logs id, and path.

    If you can add in this script, it would be great. 

    Thanks

    Saturday, December 15, 2018 8:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you.  Please do not post screenshots as they are unreadable in most browsers. Just copy the exception and post it in a code block.

    I took a quick look at your code and it is a collection of very bad guesses. Almost every line has an issue.

    Do as I suggested and build the code one line at a time from the inside of the loop to the outside.  Inspect each object that you retrieve or use to be sure you understand the object and its structure.  By doing this you will learn a tremendous amount about coding and PowerShell.

    Start by making Get-WinEvent return the events you need for one computer. Just copy pieces of your code an test by pasting at a prompt. Start with this part of your code:

    $LogFilter = @{
    LogName = 'Security'
    ID      = 4625, 644, 681, 529
    StartTime = $StartTime
}

Get-WinEvent -LogName "Security" -FilterHashtable $LogFilter

    Inspect and fix the errors until you can do a simple query.

    \_(ツ)_/

    Saturday, December 15, 2018 8:45 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Another hint - always fix the errors one at a time starting with the first one returned.

    \_(ツ)_/

    Saturday, December 15, 2018 8:48 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Here is the part that will most confuse you.

    Get-WinEvent -FilterHashtable $LogFilter |
    ForEach-Object {
        $event = ([xml]$_.ToXml()).Event
        [pscustomobject]@{
            Computer = $event.System.Computer
            EventID  = [int]$event.System.EventID
            Action   = $actions[[int]$event.System.EventID]
            TimeCreated = [datetime]$event.System.TimeCreated.SystemTime
            SubjectUserName = $event.SelectSingleNode('//*[@Name="SubjectUserName"]').'#text'
            TargetDomainName = $event.SelectSingleNode('//*[@Name="TargetDomainName"]').'#text'
            LogonType = [int]$event.SelectSingleNode('//*[@Name="LogonType"]').'#text'
            IpAddress = $event.SelectSingleNode('//*[@Name="IpAddress"]').'#text'
        }
    }

    Coding to the event log and XML is a very advanced programming task.  If you do  not know basic programming or the Windows API/Classes and XML this will be a complete mystery.

    To learn use your search engine to find documents and articles explaining what is being done.

    \_(ツ)_/

    Saturday, December 15, 2018 10:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You are right Sir.Coding to the event log and XML is a very advanced programming task. I have started the learn powershell scripting. however it will take some time. but i need this script urgently.
    Sunday, December 16, 2018 3:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I have given you the answers and examples of what you need to know.  I cannot teach you how to use the information.  Learning PowerShell is your responsibility.  If this is a critical need then I suggest that you consider hiring a consultant to work with you on this.

    Microsoft Virtual Academy - Getting Started with Microsoft PowerShell

    Script Gallery.

    Forum for Script requests

    \_(ツ)_/


    • Edited by jrv Sunday, December 16, 2018 4:23 PM
    Sunday, December 16, 2018 4:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Well, Thanks. Sir. I have just complete the script. and it worked successfully. I know i need to learn my self. it is enough that you give me your valuable time and really it is to helpful. Thank for your help. 
    Sunday, December 16, 2018 4:49 PM