Thank you for the response. It looks like there may be an issue as it seems to fail on $DN.Replace(",CN=","`tCN=") and so the subsequent commands aren't processing properly. It does pull the first name okay, but the lastname/OU are malformed/empty. Now that I see what you're trying to do, I'm going to read through it more thoroughly and see if I can come up with the appropriate replacements. Thank you, though! You've gotten me one of the three values I needed.
Output as is: [cid:image002.png@01D1E8E2.6C963010] Thanks, Geoff From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Scott Crawford Sent: Thursday, July 28, 2016 2:25 PM To: powershell@lists.myitforum.com Subject: [powershell] RE: Parsing Event Log XML and RegEx Issue: ATTENTION: This email came from an external source. DO NOT open attachments or click on links from unknown senders or unexpected emails. I look forward to more elegant solution, but here's something quick and dirty :) $DN = "CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org" $DN = $DN.Replace(",CN=","`tCN=") $Name = $DN.Split("`t", 2)[0] $Name = $Name.Replace("CN=", "").Replace("\, ", "`t") $LastName = $Name.Split("`t")[0] $FirstName = $Name.Split("`t")[1] $OU = $DN.Split("`t", 2)[1] $OU = $OU.Replace("`tCN=", ",CN=") $FirstName $LastName $OU From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Orlebeck, Geoffrey Sent: Thursday, July 28, 2016 3:46 PM To: 'powershell@lists.myitforum.com' <powershell@lists.myitforum.com<mailto:powershell@lists.myitforum.com>> Subject: [powershell] Parsing Event Log XML and RegEx Issue: All: I was attempting to monitor several sensitive AD groups for user additions/removals. I ended up configuring our monitoring solution to handle it, but I feel I was 95% of the way there with PowerShell. Because I spent so much time I want to see this through to the end. I'm attempting to pull this type of information directly from the Security Event Log on our DCs. I have been able to retrieve the majority of the information I want but I am failing to convert the distinguished name of the user into their SamAccountname. I am attempting to gather the following information to pass back to me: Date, Domain Controller, SamAccountname added, SamAccountname performing the add, and the group name user was added to. Here is the part of my script that gathers the relevant information I'm looking for: # Gather security event info [xml]$xml = Get-Content C:\Testevent.xml # Event Time $Time = $xml.Objs.Obj.Props.DT.'#text' $Date = (Get-Date $Time -Format g) # DC Logging Event $SrvObj = $xml.Objs.Obj.Props.S | ? {$_.N -like "MachineName"} $Server = $SrvObj.'#text' # Store properties of Event Data $GroupObject = $xml.Objs.obj.props.Obj | ? {$_.N -like "Properties"} # Output $Properties = @{Date = $Date Server = $Server Group = $GroupObject.lst.Obj[2].Props.s.'#text' AddedBy = $GroupObject.lst.Obj[6].Props.s.'#text' UserAdded = $GroupObject.lst.obj[0].props.s.'#text'} # Store properties in Custom PSObject $Obj = New-Object -TypeName PSObject -Property $Properties My output looks like this: [cid:image003.png@01D1E8E2.6C963010] Where I am having an issue is $GroupObject.lst.obj[0].props.s.'#text' returns the following: CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org However, when I do a Get-ADUser, the distinguished name is like this: CN=JS1234,CN=Users,OU=Example Department,DC=domain,DC=org So I cannot simply filter based on the returned output because it doesn't match the DN returned by Get-ADUser. My initial thought was to take "$GroupObject.lst.obj[0].props.s.'#text'" and via regular expressions get Firstname, Lastname, and OU. I should be able to leverage splatting on the filter command for Get-ADUser and extract the SamAccountname. The regular expression is where I am failing. I am able to grab the last name, but outputting just the first name and then just the OU is where I have not been successful. Having the "\," after SmithTest is what's tripping me up when I try to remove "CN=SmithTest\, John,". If anyone has regex guidance or alternative ideas on how to accomplish the above (for instance, I get the ObjectSID, but I have also failed to convert that into SamAccountname). I'm open to see how others would tackle this. I'm including the XML file containing a single event I have been using to test in case it's helpful. Thank you. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.