none
How to send logon AD events with http in background ? (powershell) RRS feed

  • General discussion

  • Hi,

    I've written a script to trigger event with logonID 4624 and I want to send some data in HTTP. I filter events to get only events with ActiveDirectory User connected.  My script is launched with the task scheduler and system run it.

    For each event, I want to send the username, the ip and the groups of the user in HTTP.

    It's works fine in foreground. But in background, my task launch a lot of processes and memory is full then it freeze the AD Server.

    How to do this ?

    Here is my current script : https://pastebin.com/qLL4MDtC


    • Edited by Marc595 Thursday, November 16, 2017 5:15 PM
    • Changed type Bill_Stewart Thursday, January 25, 2018 10:32 PM
    • Moved by Bill_Stewart Thursday, January 25, 2018 10:33 PM This is not "fix/debug/rewrite my script for me" forum
    Thursday, November 16, 2017 5:06 PM

All replies

  • Please read the following first. It is right at the top of this forum.

    This forum is for scripting questions rather than script requests


    -- Bill Stewart [Bill_Stewart]

    Thursday, November 16, 2017 5:10 PM
  • Thank you for the answer.

    I read the forum request and I thought I was inside the scope.

    The script I wrote is less than 75 lines and half are just empty lines.
    I'm not asking someone to do my work, I'm looking for information because it does'nt work as intended, just when I choose the launching option.
    I was probably not straightforward in my questions, i am not a native English speaker,
    please help formulate correctly the request.
    --

    Maybe this will be more precise

    Goal: Post Logon Data ( ip, groups and userid ) over HTTP.

    Work Done:
    To perform this, I made some research and trigger a script over the 4624 event.
    At first everything was fine, and I was happy with my work.
    As soon as i was trying to make this work in the background, ( so it also works

    when no one is logged on the AD server) I encounter a lots of problems.

    Current Struggle:

    I did some research with start-job (still same) and I rewrite entirely the script with ADSI because it's better than AD module (in performance case).

    But so far my tests are not successfully: i am puzzled with something, running in background seems to trigger more instances (so many) of my powershell.

    Moreover apparently, I need to sign the script or change security parameter of the all system.

    Maybe, I am not using the right tool ? So far i cant find any information inside the system telling me whats going wrong .

    Because the script is short, I linked the code here.



    • Edited by Marc595 Thursday, November 16, 2017 6:45 PM
    Thursday, November 16, 2017 6:42 PM
  • What you are asking is quite vague and your explanation adds ambiguity.

    The script as posted cannot do what you claim.  Maybe you have system issues.

    The script will not succeed under the event viewer because the event log service does not have read access to AD.

    You can alter the scheduled task to use domain credentials.

    If you have a large number of logon events then you will have many issues.  What you are trying to do will require a much more sophisticated solution using some kind of queuing method.


    \_(ツ)_/

    Thursday, November 16, 2017 6:48 PM
  • First of all, thank you for yours explanations.

    If this is not the script fault, which thing can fill memory ?

    "The script will not succeed under the event viewer because the event log service does not have read access to AD."

    I don't understand, because I run it with highest priveleges and I can get data from my AD. 

    "You can alter the scheduled task to use domain credentials."

    OK, I will check this way.

    "some kind of queuing method"

    You speak about making a script with 'while(waitEvent)'  and use getEvent ? 


    I don't know if I need to make another topic for it but my substantial question is :

    - why my script (and more generally AD getters commands) use only one process per event in foreground but in background I've +200 powershell.exe processes



    • Edited by Marc595 Thursday, November 16, 2017 9:05 PM
    Thursday, November 16, 2017 9:04 PM
  • There's no way for anyone to know the answer to your question because we don't have a way to reproduce your environment. (We don't have any of your code, we don't have access to your network, and we can't see your screen.)


    -- Bill Stewart [Bill_Stewart]

    Thursday, November 16, 2017 9:09 PM
  • OK, I understand...
    Thursday, November 16, 2017 9:25 PM
  • My environment is standard. It's windows server 2012R2, it's a testing server (not production) with active directory of 5 custom users. No particular change. My task is local, so I think network can't affect it ?

    I don't have particular screen, only task manager with +200 powershell.exe (and conhost.exe).

    So in other way, I try  queue instead of "run in parallel" (thanks to jrv). And it seem to work better (memory not fill and cpu constant). Only one process.


    • Edited by Marc595 Thursday, November 16, 2017 9:59 PM
    Thursday, November 16, 2017 9:58 PM
  • This question is not within the scope of this forum.

    -- Bill Stewart [Bill_Stewart]

    Thursday, November 16, 2017 10:45 PM