Login / out history extraction from 2008R2 Event Logs with a PowerShell script?

Similar Messages

• How to create an rule with action to subtract from the event log of Ips manager express console?

  how to create an rule with action to subtract from the event log of Ips manager express console?, some knows of has an guide?.
  Thank you.
  Sent from Cisco Technical Support iPad App

  Hi,
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bc7910.shtml
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Setting Out Of Office from Outlook not working with exchange 2010

  Hi 
  We have an exchange 2010  server with 2 load balanced CAS server and Mailbox servers in a DAG.  We have a few domain
  names accepted (will call it firstdomain.com and seconddomain.com)  but only one is in certificate (firstdomain.com).
  The issue is - when user with default email @seconddomain.com try to set “Out Of Office” from outlook (2010 with all service
  packs and updates) he is getting “ Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later”  where
  setting it from webmail works fine and setting it from outlook for users with @firstdomain.com reply address works fine.
  we have both internal and external urls for all virtual directories set to external
  host address (https://mail.firstdomain.com
    etc). All the users are on intranet with local ip subnets (sites connected via vpns ), all the routing is in place and DNS points to correct ip addresses.
  Autodiscover works fine (tested in outlook ) and giving correct address for OOF link
  ( https://mail.firstdomain.com/ews/exchange.asmx)
  wich opens fine if entered into address bar in IE so its NOT AN AUTODISCOVER issue .
  I enabled  logging in outlook and thats what I am getting in there:
  We have an exchange 2010  server with 2 load balanced CAS server and Mailbox servers in a DAG.  We have a few domain
  name accepted (will call it firstdomain.com and seconddomain.com)  but only one is in certificate (firstdomain.com).
  The issue is - when user with default email @seconddomain.com try to set “Out Of Office” from outlook (2010 with all service
  packs and updates) he is getting “ Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later”  where
  setting it from webmail works fine and setting it from outlook for users with @firstdomain.com reply address works fine.
  we have both internal and external urls for all virtual directories set to external
  host address (https://mail.firstdomain.com
    etc). All the users are on intranet with local ip subnets (sites connected via vpns ), all the routing is in place and DNS points to correct ip addresses.
  Autodiscover works fine (tested in outlook ) and giving correct address for OOF link
  ( https://mail.firstdomain.com/ews/exchange.asmx)
  wich opens fine if entered into address bar in IE so its NOT AN AUTODISCOVER issue .
  I enabled  logging in outlook and thats what I am getting in there:
  1600       0x49763D20        02/02/15 16:50:44           
  +++++++++++++++++++++++++++++++
  1600       0x49763D20        02/02/15 16:50:44           
  OWINHTTP SEND HTTP REQUEST BEGIN
  1600       0x49763D20        02/02/15 16:50:44           
    Profile=Outlook
  1600       0x49763D20        02/02/15 16:50:44           
    [email protected]
  1600       0x49763D20        02/02/15 16:50:44           
    URL=https://mail.firstdomain.com/ews/exchange.asmx
  1600       0x49763D5F        02/02/15 16:50:45           
  GetLastError=0; httpStatus=401.
  1600       0x49763D5F        02/02/15 16:50:45           
  OWinHtpp disabled auth schemes:
  1600       0x49763D5F        02/02/15 16:50:45           
  <NONE>
  1600       0x49763D5F        02/02/15 16:50:45           
  OWinHtpp supported auth schemes:
  1600       0x49763D5F        02/02/15 16:50:45           
  Negotiate
  1600       0x49763D5F        02/02/15 16:50:45           
  NTLM
  1600       0x49763D5F        02/02/15 16:50:45           
  Basic
  1600       0x49763D5F        02/02/15 16:50:45           
  OWinHttp attempting Auto-Negotiate with Desktop Credentials.
  1600       0x49763D5F        02/02/15 16:50:45           
  OWinHttp USING pcreds->dwAuthScheme:
  1600       0x49763D5F        02/02/15 16:50:45           
  Negotiate
  1600       0x49763D9D       02/02/15 16:50:45           
  GetLastError=0; httpStatus=500.
  1600       0x49763DAD       02/02/15 16:50:45           
  OWINHTTP SEND HTTP REQUEST END
  1600       0x49763DAD       02/02/15 16:50:45           
  Last thing - we are using proxy server and with proxy off it works fine although all
  possible exchange server hosts/domains/ip addresses excluded from proxy.  
  Aside from obvious question - what can be wrong and what to test next, another question
  is - how can I check/monitor setting OOF on server side (log files etc)?
  Last thing - we are using proxy server and with proxy off it works fine although all
  possible exchange server hosts/domains/ip addresses excluded from proxy.  
  Aside from obvious question - what can be wrong and what to test next, another question
  is - how can I check/monitor setting OOF on server side (log files etc)?
  Thanks

  Hi,
  According to your description, I understand that Outlook client with second domain name cannot use OOF setting and get an error “Your Out of Office settings cannot be displayed, because the server is currently unavailable.”  However OWA works fine.
  If I misunderstand your concern, please do not hesitate to let me know.
  I want to double confirm whether all account or some special user experience this question.
  Would you please try to reconfigure Outlook profile in other Computer, Outlook version and return the results?
  If this issue only appeared on Outlook 2010, please refer to below link to troubleshooting:
  https://support.microsoft.com/kb/2596516?wa=wsignin1.0
  Please try to run ExBPA to test OOF to get more details about this question. Additional, I find a similar thread about your question, for your reference:
  https://social.technet.microsoft.com/Forums/exchange/en-US/81ebc1de-c899-4097-b224-a0e4b33e4162/users-cant-open-out-of-office-assistant
  Best Regards,
  Allen Wang

• Audio extraction from 400+ QT files with between 1-8 channels

  Hi there,
  I need to extract all the audio channels individually from more than 400 QT files, with the number of channels ranging from 1 to 8.
  Do you know of any script or automator action out there which could help me? Ideally I want to extract the audio as AIFF.
  I've seen these, but as far as I can tell they won't extract each track/channel on its own:
  http://developer.apple.com/samplecode/ExtractMovieAudioToAIFF/index.html
  http://www.deepniner.net/xtract2wave/
  Thanks for any help.
  Macbook Pro   Mac OS X (10.4.8)  

  I have brought my export back into PP and I don't see audio. As you suspect, my export settings were incorrect. I failed to set Channels to 8 Channel; it was set to Stereo. I am creating a new test file for the broadcaster.
  Thank you!

• Can anyone help with a powershell script using the search-adaccount cmdlet to filter out accounts that have been created in the last 90 days?

  Hi,
  I have the following script that is supposed to search AD for all user accounts that haven't logged into the domain in more than 90 days.  I first did not have the where-object clause because I didn't realize the search-adaccount would provide results
  back of users that have never logged in, but were created less than 90 days ago.  So I tried to incorporate the logic to not include user accounts that were created in the last 90 days.
  #requires -version 4
  #This script creates a file of accounts that have not been logged into in the past 90 days, excluding accounts that have been created within the past 90 days since the -AccountInactive option does not factor for the whenCreated property of an AD object
  $DateThreshold = ((Get-Date).AddDays(-90))
  $ReportDate = Get-Date -Format yyyy-MM-dd
  #Create a folder according to the current date to be used for storing the report
  New-Item -Path ".\$ReportDate" -ItemType Directory
  $InactiveUsers = Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "90" -SearchBase "OU=XXXX,DC=XXXX,DC=XXXX,DC=XXXX" | Where-Object {$_.whenCreated -gt $DateThreshold} | Export-Csv ".\$ReportDate\Inactive90_$ReportDate.csv"
  However, I can't ever get the whenCreated field to populate with data.  What gives?

  Hi,
  Search-ADAccount doesn't return a whenCreated property. If you want that, you'll need to use Get-ADUser as well. Here's a basic example you can build from:
  $dateThreshold = (Get-Date).AddDays(-90)
  Search-ADAccount -UsersOnly -SearchBase 'OU=Users,DC=domain,DC=com' -AccountDisabled | ForEach {
  $whenCreated = (Get-ADUser -Identity $_.SamAccountName -Properties whenCreated).whenCreated
  If ($whenCreated -gt $dateThreshold) {
  $_
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• How to set event name with a apple script

  I use a script to import my photos in iphoto. It's a action folder script.
  This script automatically create albums with the folder's names.
  With the latest version of iphoto and ranking per event, I can not initialize the name events with the names of albums.

  The device has to be set up with the same Wi-Fi network that the iOS device is connected to. The printer cannot be physically connected to the computer. Then select something to print in the iOS device and it will look for a printer and should select yours. See this support document for more help. http://www.apple.com/support/iphone/assistant/airprint/

• Generating Audit log report using PowerShell script

  Hi All,
  I have a requirement to generate the audit log report for a Document library/ custum list. Like 
  1) Who had downloaded and when for the site
  2) Respective username,date time
  3) URL of the document / subsite name etc.
  if it possible, how to automate the process in weekly basess.
  I know it can be done through OOB. Audit log reports 
  can any one help on this?
  Below URL i had for reference : http://social.technet.microsoft.com/wiki/contents/articles/23900.get-audits-for-a-sharepoint-document-using-powershell.aspx
  Vijaivel

  Hi Peter,
  thanks for your reply, URLS are good but am having limited access (i.e) am not a sitecollection Aministrator. So I will not have the access for SiteCollection Administrator section. I having the only one option is Site Collection Web Analytic report. Is
  it possible to achive with this option? or anyother work around ?
  Suggest any other option for automated notification process
  Thanks
  Vijaivel

• File history stopped working after a warning message in the event log

  I have encountered this twice that File history stopped working, the event log says:
  Unusual condition was encountered during finalization of a backup cycle for configuration C:\Users\xxxx\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Config
  If I re-run it, it consumes the backup disk space but still failed to backup.
  I have to manually delete all backup, turn off File History and re-configure it again to make it work.
  This happened twice already, so all my file history lost after re-config.
  Anyone encounter the same situation?

  MICROSOFT is plagued by idiots!!!!
  - Just turn it off
  - then click  "select drive"
  - and when it asks you the retarded question... just click >>>>>"NO"<<<<<<<    -_-
  Seriously... this is the answer.... frigging retards at microsoft... to think it takes an army of programmers and billions of dollars to create such idiocy!
  http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/cannot-change-drive-in-file-history-windows-8/6dbeca54-d05e-4f93-9262-45a56d6a82d1?page=2&msgId=f1792c5e-c5d0-4163-b449-c7165d72f88d&tab=question&status=AllReplies&status=AllReplies%2CAllReplies
  I cant believe these morons put everyone through such hell and then don't even bother to follow up with the correct solution.
  To top it of the moron moderator marks this as an answer??!!!
  What a pathetic joke - I hope everyone reads this message before being punished by the miles of bullcrap in this thread -_-
  Microsoft = ridiculous
  Thanks! I guess the TL;DR version is "to change your file history drive you need to discard the current temp files."
  Exactly :)
  It's the bad wording in the messages.
  the first message (which I can only vaguely remember so can't quote exactly) that gives you the impression you can continue
  something but doesn't make clear that to so will need the "old drive" configured the way the "old drive" was.
  Then the next message is just confusing:
  “we can't copy files to this location.  Your current File History drive is disconnected.  Reconnect the drive and try again” 
  sounds like 
  “we can't copy files to this location. [because there's a problem with the new location]
  Your current File History drive is disconnected. [the new location is disconnected]
  Reconnect the drive and try again [reconnect your new location and try again]” 
  When it should be reworded to say something along the lines of (in more formal language):
  "You asked us to continue...give us the drive you were previously using...or if it's no longer available, click here to start from scratch"
  (I know that's all the opposite of tldr but I'm trying again to put into words what I think was happening).

• CAM Event Log: SNMP trap is received from switch [ ip address ] which is NOT in our database.

  We keep getting thousands of entries in the CAM event log like this:
  SNMP trap is received from switch [<ip address>] which is NOT in our database.
  apparently, these aren't NAC'd switches. Why does the CAM see these and how can they be eliminated from the Event Log?
  Thanks,

  Matt,
  Do you switches have the CAM as a host where they are sending traps? Check the running-config of the servers and see if you spot the CAM IP address as one of the snmp-servers.
  HTH,
  Faisal

• How to find out histotry command from other session

  Hi gurus,
  I use RHEL 5.4
  Some user log onto server with root and make change at some files. How can I find out history command from other session with the same user.
  history command is just give me history commands of my own session.
  Thanks
  Ch

  The file which holds the commandline history is .bash_history in the home directory of the user.
  So in the case of root, /root/.bash_history
  Please mind that if you log in as root, or become root your session will add to that file as well.
  Another issue with the history file is that when multiple sessions are logged in, every session writes in its own version of the same file. So the last one "wins", which means that version is the one which is truly stored.
  If files are changed, a find command with the 'mtime' parameter should be helpful.

• Variable text is blank in emails when using Scheduled Task to email event log notifications

  I am trying to use powershell to email notification when a user account gets locked.  I am running the script from a server 2008 domain controller.
  I have tried multiple scripts and I have the same issue every time.  The script works fine when I run it directly from the powershell command line window.
  However whenever I try running the exact same scripts from an event-triggered scheduled task, the script runs, however any content that generated from a variable is not added to the email.  It is just left blank and ignored.
  I have tried adding lots of permissions including domain administrator group membership to the account  runs the task from and it doesn't include all the expected text unless I run it from the built-in domain administrator account.
  The task runs and the email is sent, but the email is missing all the content generated by variables.
  How can this be fixed?
  Here is an example script.
  $AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
  $LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
  $AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
  $AccountLockOutEventMessage = $AccountLockOutEvent.Message
  $messageParameters = @{ 
  Subject = "Account Locked Out: $LockedAccount" 
  Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
  From = "[email protected]" 
  To = "[email protected]" 
  SmtpServer = "exch2010.domain.local" 
  Send-MailMessage @messageParameters
  =================================================
  Here is an example of task settings.
  <?xml version="1.0" encoding="UTF-16"?>
  <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
    <RegistrationInfo>
      <Date>2015-03-25T21:40:28.8095226</Date>
      <Author>DOMAIN\administrator</Author>
    </RegistrationInfo>
    <Triggers>
      <EventTrigger>
        <Enabled>true</Enabled>
        <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      </EventTrigger>
    </Triggers>
    <Principals>
      <Principal id="Author">
        <UserId>DOMAIN\WilliamsD</UserId>
        <LogonType>Password</LogonType>
        <RunLevel>LeastPrivilege</RunLevel>
      </Principal>
    </Principals>
    <Settings>
      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
      <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
      <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
      <AllowHardTerminate>true</AllowHardTerminate>
      <StartWhenAvailable>false</StartWhenAvailable>
      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
      <IdleSettings>
        <StopOnIdleEnd>true</StopOnIdleEnd>
        <RestartOnIdle>false</RestartOnIdle>
      </IdleSettings>
      <AllowStartOnDemand>true</AllowStartOnDemand>
      <Enabled>true</Enabled>
      <Hidden>false</Hidden>
      <RunOnlyIfIdle>false</RunOnlyIfIdle>
      <WakeToRun>false</WakeToRun>
      <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
      <Priority>7</Priority>
    </Settings>
    <Actions Context="Author">
      <Exec>
        <Command>powershell.exe</Command>
        <Arguments>-nologo -File "C:\powershell\l2.ps1"</Arguments>
      </Exec>
    </Actions>
  </Task>

  By variable text I mean everything that it generates by using a variable such as the user's name ($LockedAccount)
  and everything else such as $AccountLockOutEventTime and everything else that is generated from
  a variable.
  Nothing like that appears in the email only hard coded text.
  I am not running it remotely.  I am logged directly onto the domain controller and I tried giving
  the account that is used to run the task more and more permissions including domain administrator group membership with the same result.
  When I run the exact same script on the same domain controller locally via the powershell CLI all of the info appears.
  This is the info when the email is generated by running the script directly from the powershell CLI:
  ================================================
  ================================================
  Account BondJ was locked out on 03/26/2015 20:42:18.
  Event Details:
  A user account was locked out.
  Subject:
                  Security ID:                         S-1-5-18
                  Account Name:                 DC1$
                  Account Domain:                            
  DOMAIN
                  Logon ID:                            
  0x3e7
  Account That Was Locked Out:
                  Security ID:                         S-1-5-21-3440879815-2193117124-1719501250-1154
                  Account Name:                 BondJ
  Additional Information:
                  Caller Computer Name:                DC1
  ===================================================
  ====================================================
  Below is the contents of the email when the same script runs via scheduled task trigger using any account I try other than the built-in domain Administrator account.
  =======================================================
  ======================================================
  Account  was locked out on .
  Event Details:
  ===================================================
  Just mostly blank email body with the info above.  All the important information text is missing from the email.

• Warning on Event Log of Aironet 1300 Bridge

  I've been getting warning messages from the event log of a 1300 series bridge, which is set as an Access Point in the network, states: 'Packet to client (mac address) reached max retries, removing the client';  I'm not sure why the client is removed.  Does 'reached max retries' mean that the client has tried to many times to connect to the AP/Bridge?  What are other possible reasons why? 

  It means the AP has attempted to send a packet to the client and has not received an ack from it. The AP assumes the client is no longer in range of it and disconnects it.
  Sent from Cisco Technical Support iPad App

• Adobe Air causing error in event log

  I installed Windows 7 64-bit on a system recently.  This morning I installed PS CS4, including Adobe Air.
  I've now gotten 5 of these errors recorded in the event log.
  Source:  SideBySide
  Event ID:  63
  Level:  Error
  Activation context generation failed for "x:\adobe cs4\payloads\adobeamp-mul\adobe air\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "x:\adobe cs4\payloads\adobeamp-mul\adobe air\Versions\1.0\Adobe AIR.dll" on line 3. The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.
  How do I get rid of this?

  I have had the same issue since  I bought PS-CS4 and Lightroom2.0 back in OCTOBER/NOVEMBER 2009.
  Directly from Windows Event Log:
  EventID 63: Activation context generation failed for "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.
  OS: Windows 7 64-bit
  Considering this ERROR is CONSTANTLY being JACKED into the Event Log, I had hoped that others would be asking Adobe for a solution.  I guess there are just two of us experiencing this problem - I seriously DOUBT that.
  Having DEVELOPMENT experience in several programming languages, it appears there is a SIMPLE error in the DLL file.  PLEASE FIX THIS ASAP!
  As much as we have to pay for this software, I would expect not to have these kind of issues.  Adobe PLEASE RESPOND!!!

• Event log WAN section

  Since being on Infinity my event log (WAN section) shows occasional "PPP LCP Send Termination Request [User request]", followed by a reconnect sequence, that lasts about 20s when it is back up running normally. The Home Hub 5 light remains blue but the DSL uptime reset itself.
  The other items that shows up, in this sequence, is " PPPoE is down after 8693 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 2 -​ Down)]" 
  Is this some short term break of service on the fibre network and nothing to do with the handshake between the router and the DSLAM in the cabinet?

  Same with the event log here.  I've had a few wireless issues lately, and wanted to run the router a bit longer before rebooting.
  EDIT: Restarted the HH3 tonight, and noticed from the event log that when booting it showed the correct time, but when it did a time sync check, it set the clock back one hour...
  I also tried a couple of other time servers without success.

• Alarm and event logging has stopped

  Alarm & Event Logging with Citadel 5 and Lookout 6.02.
  I have a continuously running application that stopped logging alarms and events approx. 6 weeks ago. (March 07, 2010) The problem went unnoticed until a recent event/alarm sequence needed to be investigated. Data traces are not a problem. They are visible using MAX as well as with Lookout hypertrends. However, MAX shows nothing for alarms or events past that date. (No problem earlier, going back to 2002)
  The Alarm panel in Lookout will show the alarms and events as they occur so I know they're being detected.
  I understand that the data traces are logged to Citadel, whereas alarms and events are passed to the MSSQL server. (In my case the free version that comes with XP - SQL Server Express I believe.)
  This version has a database size limit of 4 GB. What exactly does that mean?
  An *.mdf file >4GB cannot be created?
  An *.mdf file >4GB cannot be read?
  The total size of all *.mdf files cannot exceed 4GB?
  Curiously the file in use is 1.99GB. When archived, it is only about 750 MB, yet the total number of alarms and events are the same in each. There are other *.mdf files that exist on the system but aren't in use.
  NI document 4GPBLT21 states  "Once that limit is reached, the alarm and event data is logged to the high performance Citadel database". Then what? Is that data viewable with MAX?
  MAX doesn't appear to have any tools to selectively delete old alarms or events.
  How can I determine what has happened and what do I need to do to restart the logging?
  Any and all help most welcome.
  Bob L

  Lookout 6.0.2 uses SQL Server Desktop Engine which has the limit of 2G, so your alarm/event database has already reached the limit.
  After the SQL database is full, the alarm/event will be logged to Citadel database. But this maybe reduces the performance of Citadel, that's why we log alarm/event to SQL Server first. But I'm not sure why the alarm logging is stoppted.
  To delete the alarms from SQL Server is not straightforward. One way is to archive it. Follow the steps below.
  1. In MAX, create a new database in different folder.
  2. Create a Trace View and add the whole old database to the trace view.
  3. Right click on the Trace View and select Archive. Archive all to the new database. You don't need to specify the time range.
  4. After the achiving, the new database will have all the trace data and no alarm data in it. You can detach the old database.
  In Lookout, select File->Modify Process to change the database to the new database. Or you can change the system default database from Option->System. And then the lookout process will use the new database which has no alarm in it.
  You can keep the old database files. All the data and alarm/events won't be lost. When you need them, you can attach the database.
  Ryan Shi
  National Instruments