{"id":14,"date":"2017-08-01T18:23:56","date_gmt":"2017-08-01T15:23:56","guid":{"rendered":"http:\/\/itbru.ru\/?p=14"},"modified":"2018-06-20T11:13:31","modified_gmt":"2018-06-20T08:13:31","slug":"eventid_search","status":"publish","type":"post","link":"https:\/\/itbru.ru\/index.php\/2017\/08\/01\/eventid_search\/","title":{"rendered":"\u041f\u043e\u0438\u0441\u043a EventID \u043f\u043e \u0432\u0441\u0435\u043c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430\u043c \u0434\u043e\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 PoSh"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-16 alignleft\" src=\"https:\/\/itbru.ru\/wp-content\/uploads\/2017\/08\/images.png\" alt=\"\" width=\"121\" height=\"136\" \/>\u041f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u044c \u043d\u0430\u0439\u0442\u0438 \u043a\u0442\u043e \u0438\u0437 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432 \u0432\u043a\u043b\u044e\u0447\u0438\u043b \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u0443\u044e \u0443\u0447\u0435\u0442\u043a\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u041a\u0430\u043a \u044d\u0442\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 PoSh \u0447\u0438\u0442\u0430\u0439\u0442\u0435 \u043d\u0438\u0436\u0435:<\/p>\n<p><!--more--><\/p>\n<p>\u0412 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u0445 Windows \u044d\u0442\u043e \u0441\u043e\u0431\u044b\u0442\u0438\u0435 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u0432 \u0436\u0443\u0440\u043d\u0430\u043b Security \u0438 \u0438\u043c\u0435\u0435\u0442 ID 4722. \u0412 Powershell \u0415\u0441\u0442\u044c \u043a\u0430\u043a \u043c\u0438\u043d\u0438\u043c\u0443\u043c \u0434\u0432\u0430 \u043a\u043e\u043c\u043c\u0430\u043d\u0434\u043b\u0435\u0442\u0430 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u043c\u0438:<br \/>\n1. Get-WinEvent<br \/>\n2. Get-EventLog<\/p>\n<p>\u0414\u043b\u044f \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u0437\u0430\u0434\u0430\u0447\u0438 \u0431\u0443\u0434\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c Get-WinEvent, \u0442.\u043a. \u043e\u043d \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0431\u044b\u0441\u0442\u0440\u0435\u0435 \u0447\u0435\u043c Get-EventLog.<\/p>\n<p>\u0418\u0442\u0430\u043a, \u043d\u0430\u043c \u043d\u0430\u0434\u043e \u043f\u0440\u043e\u0439\u0442\u0438\u0441\u044c \u043f\u043e \u0432\u0441\u0435\u043c \u0434\u043e\u043c\u0435\u043d-\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430\u043c \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0438 \u0441\u043e\u0431\u0440\u0430\u0442\u044c \u0441 \u043d\u0438\u0445 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u0441 ID 4722. \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b, \u0436\u0435\u043b\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0432\u044b\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u0432 \u0444\u0430\u0439\u043b, \u0434\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0439 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438.<\/p>\n<pre class=\"theme:powershell-ise lang:ps decode:true\" title=\"\u041f\u043e\u0438\u0441\u043a \u0432\u043a\u043b\u044e\u0447\u0438\u0432\u0448\u0435\u0433\u043e \u0437\u0430\u043f\u0438\u0441\u044c\">$dc = (Get-ADForest).Domains | %{ Get-ADDomainController \u2013Filter * -Server $_ }\r\n$StartTime = (Get-Date).AddDays(-1)\r\n$datafile = \"c:\\AdEnable.csv\"\r\nSet-Content -Value '\u041a\u0442\u043e;\u041a\u043e\u0433\u043e;\u0427\u0442\u043e;\u041a\u043e\u0433\u0434\u0430;\u0413\u0434\u0435;\u041a\u0443\u0434\u0430;' -Path $datafile -Encoding UTF8\r\n$dc | Foreach {\r\n\t            $Event = Get-WinEvent -FilterHashtable @{LogName=\"Security\";ID=4722; StartTime=$StartTime} -ComputerName $_\r\n\t            foreach ($ev in $event)\r\n                {\r\n                    $who = $ev.Properties[4].Value.ToString()\r\n                    $whom = $ev.Properties[0].Value.ToString()\r\n                    $cntrlr = $ev.MachineName\r\n                    $time = $ev.TimeCreated\r\n                    $AdObj = Get-ADObject -filter{SamAccountName -eq $whom}\r\n                    $Class = $AdObj.ObjectClass\r\n                    $DistName = $AdObj.DistinguishedName\r\n                    $Data = $who+\";\"+$whom+\";\"+$Class+\";\"+$time+\";\"+$cntrlr+\";\"+$DistName\r\n                    Add-Content -Value $Data -Path $DataFile -Encoding UTF8    \r\n                }\r\n   }<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u041f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u044c \u043d\u0430\u0439\u0442\u0438 \u043a\u0442\u043e \u0438\u0437 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432 \u0432\u043a\u043b\u044e\u0447\u0438\u043b \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u0443\u044e \u0443\u0447\u0435\u0442\u043a\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u041a\u0430\u043a \u044d\u0442\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 PoSh \u0447\u0438\u0442\u0430\u0439\u0442\u0435 \u043d\u0438\u0436\u0435:<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-14","post","type-post","status-publish","format-standard","hentry","category-powershell"],"_links":{"self":[{"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/posts\/14","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/comments?post=14"}],"version-history":[{"count":5,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/posts\/14\/revisions\/172"}],"wp:attachment":[{"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/media?parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/categories?post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itbru.ru\/index.php\/wp-json\/wp\/v2\/tags?post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}