Thank you for the response. It looks like there may be an issue as it seems to
fail on $DN.Replace(",CN=","`tCN=") and so the subsequent commands aren't
processing properly. It does pull the first name okay, but the lastname/OU are
malformed/empty. Now that I see what you're trying to do, I'm going to read
through it more thoroughly and see if I can come up with the appropriate
replacements. Thank you, though! You've gotten me one of the three values I
needed.
Output as is:
[cid:image002.png@01D1E8E2.6C963010]
Thanks,
Geoff
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Scott Crawford
Sent: Thursday, July 28, 2016 2:25 PM
To: powershell@lists.myitforum.com
Subject: [powershell] RE: Parsing Event Log XML and RegEx Issue:
ATTENTION: This email came from an external source. DO NOT open attachments or
click on links from unknown senders or unexpected emails.
I look forward to more elegant solution, but here's something quick and dirty :)
$DN = "CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org"
$DN = $DN.Replace(",CN=","`tCN=")
$Name = $DN.Split("`t", 2)[0]
$Name = $Name.Replace("CN=", "").Replace("\, ", "`t")
$LastName = $Name.Split("`t")[0]
$FirstName = $Name.Split("`t")[1]
$OU = $DN.Split("`t", 2)[1]
$OU = $OU.Replace("`tCN=", ",CN=")
$FirstName
$LastName
$OU
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of Orlebeck, Geoffrey
Sent: Thursday, July 28, 2016 3:46 PM
To: 'powershell@lists.myitforum.com'
<powershell@lists.myitforum.com<mailto:powershell@lists.myitforum.com>>
Subject: [powershell] Parsing Event Log XML and RegEx Issue:
All:
I was attempting to monitor several sensitive AD groups for user
additions/removals. I ended up configuring our monitoring solution to handle
it, but I feel I was 95% of the way there with PowerShell. Because I spent so
much time I want to see this through to the end. I'm attempting to pull this
type of information directly from the Security Event Log on our DCs. I have
been able to retrieve the majority of the information I want but I am failing
to convert the distinguished name of the user into their SamAccountname. I am
attempting to gather the following information to pass back to me: Date, Domain
Controller, SamAccountname added, SamAccountname performing the add, and the
group name user was added to.
Here is the part of my script that gathers the relevant information I'm looking
for:
# Gather security event info
[xml]$xml = Get-Content C:\Testevent.xml
# Event Time
$Time = $xml.Objs.Obj.Props.DT.'#text'
$Date = (Get-Date $Time -Format g)
# DC Logging Event
$SrvObj = $xml.Objs.Obj.Props.S | ? {$_.N -like "MachineName"}
$Server = $SrvObj.'#text'
# Store properties of Event Data
$GroupObject = $xml.Objs.obj.props.Obj | ? {$_.N -like "Properties"}
# Output
$Properties = @{Date = $Date
Server = $Server
Group = $GroupObject.lst.Obj[2].Props.s.'#text'
AddedBy = $GroupObject.lst.Obj[6].Props.s.'#text'
UserAdded = $GroupObject.lst.obj[0].props.s.'#text'}
# Store properties in Custom PSObject
$Obj = New-Object -TypeName PSObject -Property $Properties
My output looks like this:
[cid:image003.png@01D1E8E2.6C963010]
Where I am having an issue is $GroupObject.lst.obj[0].props.s.'#text' returns
the following:
CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org
However, when I do a Get-ADUser, the distinguished name is like this:
CN=JS1234,CN=Users,OU=Example Department,DC=domain,DC=org
So I cannot simply filter based on the returned output because it doesn't match
the DN returned by Get-ADUser. My initial thought was to take
"$GroupObject.lst.obj[0].props.s.'#text'" and via regular expressions get
Firstname, Lastname, and OU. I should be able to leverage splatting on the
filter command for Get-ADUser and extract the SamAccountname. The regular
expression is where I am failing. I am able to grab the last name, but
outputting just the first name and then just the OU is where I have not been
successful. Having the "\," after SmithTest is what's tripping me up when I try
to remove "CN=SmithTest\, John,".
If anyone has regex guidance or alternative ideas on how to accomplish the
above (for instance, I get the ObjectSID, but I have also failed to convert
that into SamAccountname). I'm open to see how others would tackle this. I'm
including the XML file containing a single event I have been using to test in
case it's helpful.
Thank you.
Confidentiality Notice: This is a transmission from Community Hospital of the
Monterey Peninsula. This message and any attached documents may be confidential
and contain information protected by state and federal medical privacy
statutes. They are intended only for the use of the addressee. If you are not
the intended recipient, any disclosure, copying, or distribution of this
information is strictly prohibited. If you received this transmission in error,
please accept our apologies and notify the sender. Thank you.
