Thank you for the response. It looks like there may be an issue as it seems to 
fail on $DN.Replace(",CN=","`tCN=") and so the subsequent commands aren't 
processing properly. It does pull the first name okay, but the lastname/OU are 
malformed/empty. Now that I see what you're trying to do, I'm going to read 
through it more thoroughly and see if I can come up with the appropriate 
replacements. Thank you, though! You've gotten me one of the three values I 
needed.

Output as is:
[cid:image002.png@01D1E8E2.6C963010]

Thanks,
Geoff

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Scott Crawford
Sent: Thursday, July 28, 2016 2:25 PM
To: powershell@lists.myitforum.com
Subject: [powershell] RE: Parsing Event Log XML and RegEx Issue:


ATTENTION: This email came from an external source. DO NOT open attachments or 
click on links from unknown senders or unexpected emails.

I look forward to more elegant solution, but here's something quick and dirty :)

$DN = "CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org"
$DN = $DN.Replace(",CN=","`tCN=")
$Name = $DN.Split("`t", 2)[0]
$Name = $Name.Replace("CN=", "").Replace("\, ", "`t")
$LastName = $Name.Split("`t")[0]
$FirstName = $Name.Split("`t")[1]
$OU = $DN.Split("`t", 2)[1]
$OU = $OU.Replace("`tCN=", ",CN=")
$FirstName
$LastName
$OU


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Orlebeck, Geoffrey
Sent: Thursday, July 28, 2016 3:46 PM
To: 'powershell@lists.myitforum.com' 
<powershell@lists.myitforum.com<mailto:powershell@lists.myitforum.com>>
Subject: [powershell] Parsing Event Log XML and RegEx Issue:

All:

I was attempting to monitor several sensitive AD groups for user 
additions/removals. I ended up configuring our monitoring solution to handle 
it, but I feel I was 95% of the way there with PowerShell. Because I spent so 
much time I want to see this through to the end. I'm attempting to pull this 
type of information directly from the Security Event Log on our DCs. I have 
been able to retrieve the majority of the information I want but I am failing 
to convert the distinguished name of the user into their SamAccountname. I am 
attempting to gather the following information to pass back to me: Date, Domain 
Controller, SamAccountname added, SamAccountname performing the add, and the 
group name user was added to.

Here is the part of my script that gathers the relevant information I'm looking 
for:


# Gather security event info
[xml]$xml = Get-Content C:\Testevent.xml

# Event Time
$Time = $xml.Objs.Obj.Props.DT.'#text'
$Date = (Get-Date $Time -Format g)

# DC Logging Event
$SrvObj = $xml.Objs.Obj.Props.S | ? {$_.N -like "MachineName"}
$Server = $SrvObj.'#text'

# Store properties of Event Data
$GroupObject = $xml.Objs.obj.props.Obj | ? {$_.N -like "Properties"}

# Output
$Properties = @{Date = $Date
                Server = $Server
                Group = $GroupObject.lst.Obj[2].Props.s.'#text'
                AddedBy = $GroupObject.lst.Obj[6].Props.s.'#text'
                UserAdded = $GroupObject.lst.obj[0].props.s.'#text'}

# Store properties in Custom PSObject
$Obj = New-Object -TypeName PSObject -Property $Properties

My output looks like this:
[cid:image003.png@01D1E8E2.6C963010]

Where I am having an issue is $GroupObject.lst.obj[0].props.s.'#text' returns 
the following:
CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org

However, when I do a Get-ADUser, the distinguished name is like this:
CN=JS1234,CN=Users,OU=Example Department,DC=domain,DC=org

So I cannot simply filter based on the returned output because it doesn't match 
the DN returned by Get-ADUser. My initial thought was to take 
"$GroupObject.lst.obj[0].props.s.'#text'" and via regular expressions get 
Firstname, Lastname, and OU. I should be able to leverage splatting on the 
filter command for Get-ADUser and extract the SamAccountname. The regular 
expression is where I am failing. I am able to grab the last name, but 
outputting just the first name and then just the OU is where I have not been 
successful. Having the "\," after SmithTest is what's tripping me up when I try 
to remove "CN=SmithTest\, John,".

If anyone has regex guidance or alternative ideas on how to accomplish the 
above (for instance, I get the ObjectSID, but I have also failed to convert 
that into SamAccountname). I'm open to see how others would tackle this. I'm 
including the XML file containing a single event I have been using to test in 
case it's helpful.

Thank you.
Confidentiality Notice: This is a transmission from Community Hospital of the 
Monterey Peninsula. This message and any attached documents may be confidential 
and contain information protected by state and federal medical privacy 
statutes. They are intended only for the use of the addressee. If you are not 
the intended recipient, any disclosure, copying, or distribution of this 
information is strictly prohibited. If you received this transmission in error, 
please accept our apologies and notify the sender. Thank you.





Reply via email to