none
PowerShell script to get IP address of a User RRS feed

  • Question

  • I'm running Server 2016, with AD and RDS.  ALL of my user connect via RDS and we use IPBan to help against Brute Force Attacks.  IPBan blocks the IP not the user, so when I have a user who locks themselves out, I need a quick way to look in the eventlog and pull out the IP address they last used. 

    So the script would ask for user name and return the IP address.

    Is this possible?  If so how?

    Thanks,

    Kevin

     
    • Moved by Bill_Stewart Sunday, July 29, 2018 11:29 PM This is not "scripts on demand"
    Friday, June 1, 2018 4:29 PM

All replies

  • What event id are you looking at?  Are you sure this is logged in the event log?

    Have you contacted IPBan vendor to learn how you can do this?


    \_(ツ)_/

    Friday, June 1, 2018 4:45 PM
  • I'm looking for (and I see) event ID 4625 with a logon Type of 10.  IPBan will unblock the IP after X minutes, but if I have someone who has forgot their password and triggers IPBan and it locks out their IP, they call me and I have to walk them through how to get their IP, so I know which one to unblock manually.  The script would prompt for the username and would search the Security Log for the most recent eventID of 4625, Logon Type of 10 and return the Source Network Address.  Once I know the IP address, I can then unblock manually.
    Friday, June 1, 2018 5:02 PM
  • There is no username in that event so it won't help you.

    To get the most recent event use Get-WinEvent.

    Get-WinEvent -FilterHashTable @{Logname='Security';ID=4625;Data=10} -Max 1

    The latest one is not necessarily the one that the user is calling about.


    \_(ツ)_/

    Friday, June 1, 2018 5:15 PM
  • (Get-WinEvent -FilterHashTable @{Logname='Security';ID=4625;Data=10} -Max 1).Properties[-2]


    \_(ツ)_/

    Friday, June 1, 2018 5:21 PM
  • When I look at the eventLog I see Account Name as shown below.

    Friday, June 1, 2018 6:23 PM
  • Then reference it.

    (Get-WinEvent -FilterHashTable @{Logname='Security';ID=4625;Data=10} -Max 10)|
         select UserID,@{n='IP';e={$_.Properties[-2].Value}}


    \_(ツ)_/

    Friday, June 1, 2018 6:30 PM
  • I found this code online and it does what I need EXCEPT I would like to have it prompt for UserName and only return the entries for that user (if any exist).

    Get-Eventlog security -InstanceId 4625 -After (Get-Date).AddDays(-1) | Select TimeGenerated,ReplacementStrings |
    % { 
        New-Object PSObject -Property @{ 
            Source_Computer = $_.ReplacementStrings[13] 
            UserName = $_.ReplacementStrings[5] 
            IP_Address = $_.ReplacementStrings[19] 
            Date = $_.TimeGenerated 
       }
    }
    So when I run the script, a popup would ask for UserName, I enter BobSmith and press enter, then if BobSmith had any failed logons within the last day, they would be displayed.


    • Edited by bakerkr94 Sunday, June 3, 2018 10:57 AM more info
    Sunday, June 3, 2018 10:55 AM
  • Are you asking for someone to write your code for you?

    This Forum is for Scripting Question Rather than script requests


    \_(ツ)_/

    Sunday, June 3, 2018 3:07 PM
  • What's the difference between my first post and my last one?  I asked for help and you provided help (by writing some code), then in my efforts I find and test some code.  I ask for help in modifying it to better suite my needs and you appear to be insulted.  Thank you for the help you did provide and I'm sorry I offended you and broke the rules of this Forum. 
    Monday, June 4, 2018 9:29 AM
  • What's the difference between my first post and my last one?  I asked for help and you provided help (by writing some code), then in my efforts I find and test some code.  I ask for help in modifying it to better suite my needs and you appear to be insulted.  Thank you for the help you did provide and I'm sorry I offended you and broke the rules of this Forum. 

    You found some code.  That is not the same as writing some code.

    Start by learning basic PowerShell.  In the first lesson you will learn how to use "Read-Host"

    I am not insulted.  Forum rules will tell you that the forum is not for free script writing or for customizing scripts you have found on the Internet.

    You could also try searching for blog articles describing how to get input in various ways.


    \_(ツ)_/

    Monday, June 4, 2018 9:38 AM