I have having the following problem:

I have an array say $events
i obtained from get-eventlog (which say returns a number of events matching
the criteria set)

when displayed it will give something like

{passwordlastset: 15\12\70 callerusername: administrator}

I am basically trying to write only where the passwordlastchanged criteria
match and the user did not change the password himself from similar code to
below:

foreach ($objuser in $AD)
{
foreach ($event in $events)
{
$P = $event.passwordlastset
$N = $event.callerusername
IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
$usersnameobtainedfromADSI)
{
write-host "$N" + " was the last person to change the password of " +
"$usersnameobtainedfromADSI"
}
}
}
The problem I have is it will hit the first person who meets the criteria
and write as expected but also the same info for each and every user
thereafter - any help would be much appreciated as I have tried a number of
things all to no avail
--
jobbsy@xxxxxx

It's hard to say just from viewing the code sample. You can try to assign
the variables to $null or "" in each iteration.

BTW, -ine (case-insensitive comparison) is the same as -ne.
Also, if $N and $usersnameobtainedfromADSI are strings then you don't need
to concatenate the variables:

write-host "$N" + " was the last person to change the password of " + "$usersnameobtainedfromADSI"

You can simply write:

write-host "$N was the last person to change the password of $usersnameobtainedfromADSI"



-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> I have having the following problem:
>
> I have an array say $events
> i obtained from get-eventlog (which say returns a number of events
> matching
> the criteria set)
> when displayed it will give something like
>
> {passwordlastset: 15\12\70 callerusername: administrator}
>
> I am basically trying to write only where the passwordlastchanged
> criteria match and the user did not change the password himself from
> similar code to below:
>
> foreach ($objuser in $AD)
> {
> foreach ($event in $events)
> {
> $P = $event.passwordlastset
> $N = $event.callerusername
> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
> $usersnameobtainedfromADSI)
> {
> write-host "$N" + " was the last person to change the password of "
> +
> "$usersnameobtainedfromADSI"
> }
> }
> }
> The problem I have is it will hit the first person who meets the
> criteria and write as expected but also the same info for each and
> every user thereafter - any help would be much appreciated as I have
> tried a number of things all to no avail
>

Thanks Shay there's nothing else I believe coming into the second loop that
would effect it - I hav tried with both $null and "" and the code works fine
until there is an earlier entry picked up - I test this by changing the
password of same user in quickish succesion and running against a certain
-newest no of eventlog entries knowing I will pick them both up - therefore
the earlier one shouldnn't match the passwordlastset adsi value, although it
would match -ne to username).

Yes thanks for the write-host and -ieq tip.




--
jobbsy@xxxxxx


"Shay Levi" wrote:

> It's hard to say just from viewing the code sample. You can try to assign
> the variables to $null or "" in each iteration.
>
> BTW, -ine (case-insensitive comparison) is the same as -ne.
> Also, if $N and $usersnameobtainedfromADSI are strings then you don't need
> to concatenate the variables:
>
> write-host "$N" + " was the last person to change the password of " + "$usersnameobtainedfromADSI"
>
> You can simply write:
>
> write-host "$N was the last person to change the password of $usersnameobtainedfromADSI"
>
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>
>

> > I have having the following problem:
> >
> > I have an array say $events
> > i obtained from get-eventlog (which say returns a number of events
> > matching
> > the criteria set)
> > when displayed it will give something like
> >
> > {passwordlastset: 15\12\70 callerusername: administrator}
> >
> > I am basically trying to write only where the passwordlastchanged
> > criteria match and the user did not change the password himself from
> > similar code to below:
> >
> > foreach ($objuser in $AD)
> > {
> > foreach ($event in $events)
> > {
> > $P = $event.passwordlastset
> > $N = $event.callerusername
> > IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
> > $usersnameobtainedfromADSI)
> > {
> > write-host "$N" + " was the last person to change the password of "
> > +
> > "$usersnameobtainedfromADSI"
> > }
> > }
> > }
> > The problem I have is it will hit the first person who meets the
> > criteria and write as expected but also the same info for each and
> > every user thereafter - any help would be much appreciated as I have
> > tried a number of things all to no avail
> >

>
>
>

What are the types of $N, $P, etc? (e.g $N.gettype())


Doe's the same happens when you run:

$N=@{name="CallerUserName";expression={$_.callerusername}}
$P=@{name="PasswordLastSet";expression={$_.passwordlastset}}
$ADSIUser =@{name="ADSIUserName";expression={$usersnameobtainedfromADSI}}

$events | select $N,$P,$ADSIUser | format-table -auto


-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> Thanks Shay there's nothing else I believe coming into the second loop
> that would effect it - I hav tried with both $null and "" and the code
> works fine until there is an earlier entry picked up - I test this by
> changing the password of same user in quickish succesion and running
> against a certain -newest no of eventlog entries knowing I will pick
> them both up - therefore the earlier one shouldnn't match the
> passwordlastset adsi value, although it would match -ne to username).
>
> Yes thanks for the write-host and -ieq tip.
>
> "Shay Levi" wrote:
>

>> It's hard to say just from viewing the code sample. You can try to
>> assign the variables to $null or "" in each iteration.
>>
>> BTW, -ine (case-insensitive comparison) is the same as -ne. Also, if
>> $N and $usersnameobtainedfromADSI are strings then you don't need to
>> concatenate the variables:
>>
>> write-host "$N" + " was the last person to change the password of " +
>> "$usersnameobtainedfromADSI"
>>
>> You can simply write:
>>
>> write-host "$N was the last person to change the password of
>> $usersnameobtainedfromADSI"
>>
>> -----
>> Shay Levi
>> $cript Fanatic
>> http://scriptolog.blogspot.com

>>> I have having the following problem:
>>>
>>> I have an array say $events
>>> i obtained from get-eventlog (which say returns a number of events
>>> matching
>>> the criteria set)
>>> when displayed it will give something like
>>> {passwordlastset: 15\12\70 callerusername: administrator}
>>>
>>> I am basically trying to write only where the passwordlastchanged
>>> criteria match and the user did not change the password himself from
>>> similar code to below:
>>>
>>> foreach ($objuser in $AD)
>>> {
>>> foreach ($event in $events)
>>> {
>>> $P = $event.passwordlastset
>>> $N = $event.callerusername
>>> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
>>> $usersnameobtainedfromADSI)
>>> {
>>> write-host "$N" + " was the last person to change the password of "
>>> +
>>> "$usersnameobtainedfromADSI"
>>> }
>>> }
>>> }
>>> The problem I have is it will hit the first person who meets the
>>> criteria and write as expected but also the same info for each and
>>> every user thereafter - any help would be much appreciated as I have
>>> tried a number of things all to no avail

Thanks for your help Shay I was able to figure it out (I needed the 5thField
outside of the events loop from my finished code below - you were right
without seeing all the code you could not have troubleshooted that - but
appreciated your input - I'm sure this is not the most professional code ever
but it works! - Thanks again


#INITIALISATION SECTION
#----------------------

#Clear the Windows command console screen
Clear-Host

#CONSTANTS SECTION
#-----------------

$strDate = get-date -uformat "%Y-%m-%d"
$CSVFilePath = 'c:\Documents and Settings\All
Users\Desktop\SwapClearITD_users_'+$strDate+'.csv'

#Delete previous file if exists
$RetVal = Test-Path 'c:\Documents and Settings\All Users\Desktop\' |
where-object {$_.name -like "*.CSV"}
If ($RetVal = 'True')
{
Remove-Item 'c:\Documents and Settings\All Users\Desktop\*.CSV'
}

#Creates new dated file and specifies header for CSV.
$strOutputString = "User,Member Of Group,Account Created,Password last
changed"
$strOutputString | out-file -Width 2147483647 -filepath $CSVFilePath
-encoding ascii

#Retrieve Events for Administrator Password Changes

[regex]$regEx = ('\:\s+')
$events = @()
get-eventlog Security -newest 2000 |
where {$_.eventID -eq '642'} |
% {
$obj = new-object psObject
switch -regex ($_.message.split("`n")) {
'^\s*Password Last Set\:' {
add-member NoteProperty -name PasswordLastSet `
-value $($regEx.split($_)[1]).trim() -in $obj
}
'^\s*Caller User Name\:' {
add-member NoteProperty -name CallerUserName `
-value $($regEx.split($_)[1]).trim() -in $obj
}
}
$events += $obj
}



#FUNCTIONS & FILTERS SECTION
#----------------------------



#MAIN PROCESSING SECTION
#-----------------------

$Dom = 'LDAP://OU=test,DC=vmware,DC=vm'
$Root = New-Object DirectoryServices.DirectoryEntry $Dom
$i=0

# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
$selector.pagesize = 1000
$adobj= $selector.findall() |`
where {$_.properties.objectcategory -match "CN=Person"}


foreach ($person in $adobj) {
$prop=$person.properties
$i++

$1stField = "$($prop.name)" + ","


# $2nd Field - Member Of
#---------------------------------------------------------
IF ("$($prop.memberof)" -match "CN=*") {
#Remove the "CN=, OU=TEST," etc & just keep name of group at front of DN
$s = "$($prop.memberof)"
$firstdivofDN,$seconddivofDN,$thirddivofDN =
([regex]'=(.+?),').matches($s) | foreach {$_.Groups[1].Value}
$2ndField = "$firstdivofDN" + ","
} ELSE {
$2ndField = "****NOT A MEMBER OF A GROUP****" + ","
}
# $3rd Field - date When account was created
#------------------------------------------
$AC = $($prop.whencreated)
$AccountCreated = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f($AC)

$3rdField = "$AccountCreated" + ","

# $4th Field - Password Last Set
#----------------------------------------------------------
#Convert the large Integer format into a readable date

$LI = [datetime]::FromFileTimeUTC( $($prop.pwdlastset[0]) )
$PWLSet = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f ($LI)

$4thField = "$PWLSet" + ","

# $5th Field - Was Administrator last person to change Password?
#--------------------------------------------------------------

$5thField = ""

IF ("$AccountCreated" -match "$PWLSet") {
$5thField = "****PASSWORD NOT CHANGED SINCE ACCOUNT SETUP****" + ","
} ELSE {
Foreach($event in $events) { # from constants section at start

$E = $event.PasswordLastSet

$N = $event.CallerUserName

IF (("$E" -match "$PWLSet") -and ("$N" -ne "$($prop.name)")) {
$5thField = "****PASSWORD last Changed by " + "$N" + "****" + ","
}
}
}


$strOutputString = "$1stField" + "$2ndField" + "$3rdField" + "$4thField" +
"$5thField"

$strOutputString | out-file -filepath $CSVFilePath -encoding ascii -append

}




--
jobbsy@xxxxxx


"Shay Levi" wrote:

> What are the types of $N, $P, etc? (e.g $N.gettype())
>
>
> Doe's the same happens when you run:
>
> $N=@{name="CallerUserName";expression={$_.callerusername}}
> $P=@{name="PasswordLastSet";expression={$_.passwordlastset}}
> $ADSIUser =@{name="ADSIUserName";expression={$usersnameobtainedfromADSI}}
>
> $events | select $N,$P,$ADSIUser | format-table -auto
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>
>

> > Thanks Shay there's nothing else I believe coming into the second loop
> > that would effect it - I hav tried with both $null and "" and the code
> > works fine until there is an earlier entry picked up - I test this by
> > changing the password of same user in quickish succesion and running
> > against a certain -newest no of eventlog entries knowing I will pick
> > them both up - therefore the earlier one shouldnn't match the
> > passwordlastset adsi value, although it would match -ne to username).
> >
> > Yes thanks for the write-host and -ieq tip.
> >
> > "Shay Levi" wrote:
> >

> >> It's hard to say just from viewing the code sample. You can try to
> >> assign the variables to $null or "" in each iteration.
> >>
> >> BTW, -ine (case-insensitive comparison) is the same as -ne. Also, if
> >> $N and $usersnameobtainedfromADSI are strings then you don't need to
> >> concatenate the variables:
> >>
> >> write-host "$N" + " was the last person to change the password of " +
> >> "$usersnameobtainedfromADSI"
> >>
> >> You can simply write:
> >>
> >> write-host "$N was the last person to change the password of
> >> $usersnameobtainedfromADSI"
> >>
> >> -----
> >> Shay Levi
> >> $cript Fanatic
> >> http://scriptolog.blogspot.com
> >>> I have having the following problem:
> >>>
> >>> I have an array say $events
> >>> i obtained from get-eventlog (which say returns a number of events
> >>> matching
> >>> the criteria set)
> >>> when displayed it will give something like
> >>> {passwordlastset: 15\12\70 callerusername: administrator}
> >>>
> >>> I am basically trying to write only where the passwordlastchanged
> >>> criteria match and the user did not change the password himself from
> >>> similar code to below:
> >>>
> >>> foreach ($objuser in $AD)
> >>> {
> >>> foreach ($event in $events)
> >>> {
> >>> $P = $event.passwordlastset
> >>> $N = $event.callerusername
> >>> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
> >>> $usersnameobtainedfromADSI)
> >>> {
> >>> write-host "$N" + " was the last person to change the password of "
> >>> +
> >>> "$usersnameobtainedfromADSI"
> >>> }
> >>> }
> >>> }
> >>> The problem I have is it will hit the first person who meets the
> >>> criteria and write as expected but also the same info for each and
> >>> every user thereafter - any help would be much appreciated as I have
> >>> tried a number of things all to no avail

>
>
>

Hi Jobbsy,

Glad you could resolve it :-)

Generally, I would avoid keeping/running files from any desktop, the path
is too deep any you may encounter permission errors.

1. You can embed $strDate inside double quotes string and it will expand
its value.
$CSVFilePath = "C:\Documents and Settings\All Users\Desktop\SwapClearITD_users_$strDate.csv"

2. Test-Path determines whether all elements of a path exist. It checks for
one file/directory based on leaf/container value of -pathType parameter.
It doesn't check for ALL (*.CSV) files. If you want to delete all CSV
files before starting use 'get-childitem -filter *.csv | remove-item -force'

To test for a file existence use:
test-path -path c:\scripts\$strDate.csv -pathType leaf

For directory:
test-path -path c:\scripts -pathType Container

Execute 'get-help test-path -full' to get full available help

3. You can format dates easily with the -format operator, its much more concise
then $AccountCreated assignment:
PS > get-date -f "dd/MM/yyyy hh:mm:ss"
19/11/2007 11:36:08

The same can be applied when you retrieve events from a log file:
PS > $e= get-eventlog application -new 1
PS> $e.TimeWritten -f "dd/MM/yyyy hh:mm:ss"
19/11/2007 11:36:08

4. '$AC = $($prop.whencreated)' is the same as '$AC = $prop.whencreated'.
Generally, You use the $($prop.member) subexpression expansion notation
when you need to expand the variable inside of a string.

You can't write this:
PS > write-host "PowerShell current culture is: $Host.CurrentCulture"
PowerShell current culture is: System.Management.Automation.Internal.Host.InternalHost.CurrentCulture

This works:
PS > write-host "Working directory path is $($Host.CurrentCulture)"
PowerShell current culture is: he-IL




HTH

-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> Thanks for your help Shay I was able to figure it out (I needed the
> 5thField outside of the events loop from my finished code below - you
> were right without seeing all the code you could not have
> troubleshooted that - but appreciated your input - I'm sure this is
> not the most professional code ever but it works! - Thanks again
>
> #INITIALISATION SECTION
> #----------------------
> #Clear the Windows command console screen
> Clear-Host
> #CONSTANTS SECTION
> #-----------------
> $strDate = get-date -uformat "%Y-%m-%d"
> $CSVFilePath = 'c:\Documents and Settings\All
> Users\Desktop\SwapClearITD_users_'+$strDate+'.csv'
> #Delete previous file if exists
> $RetVal = Test-Path 'c:\Documents and Settings\All Users\Desktop\' |
> where-object {$_.name -like "*.CSV"}
> If ($RetVal = 'True')
> {
> Remove-Item 'c:\Documents and Settings\All Users\Desktop\*.CSV'
> }
> #Creates new dated file and specifies header for CSV.
> $strOutputString = "User,Member Of Group,Account Created,Password last
> changed"
> $strOutputString | out-file -Width 2147483647 -filepath $CSVFilePath
> -encoding ascii
> #Retrieve Events for Administrator Password Changes
>
> [regex]$regEx = ('\:\s+')
> $events = @()
> get-eventlog Security -newest 2000 |
> where {$_.eventID -eq '642'} |
> % {
> $obj = new-object psObject
> switch -regex ($_.message.split("`n")) {
> '^\s*Password Last Set\:' {
> add-member NoteProperty -name PasswordLastSet `
> -value $($regEx.split($_)[1]).trim() -in $obj
> }
> '^\s*Caller User Name\:' {
> add-member NoteProperty -name CallerUserName `
> -value $($regEx.split($_)[1]).trim() -in $obj
> }
> }
> $events += $obj
> }
> #FUNCTIONS & FILTERS SECTION
> #----------------------------
> #MAIN PROCESSING SECTION
> #-----------------------
> $Dom = 'LDAP://OU=test,DC=vmware,DC=vm'
> $Root = New-Object DirectoryServices.DirectoryEntry $Dom
> $i=0
> # Create a selector and start searching from the Root of AD
> $selector = New-Object DirectoryServices.DirectorySearcher
> $selector.SearchRoot = $root
> $selector.pagesize = 1000
> $adobj= $selector.findall() |`
> where {$_.properties.objectcategory -match "CN=Person"}
> foreach ($person in $adobj) {
> $prop=$person.properties
> $i++
> $1stField = "$($prop.name)" + ","
>
> # $2nd Field - Member Of
> #---------------------------------------------------------
> IF ("$($prop.memberof)" -match "CN=*") {
> #Remove the "CN=, OU=TEST," etc & just keep name of group at front of
> DN
> $s = "$($prop.memberof)"
> $firstdivofDN,$seconddivofDN,$thirddivofDN =
> ([regex]'=(.+?),').matches($s) | foreach {$_.Groups[1].Value}
> $2ndField = "$firstdivofDN" + ","
> } ELSE {
> $2ndField = "****NOT A MEMBER OF A GROUP****" + ","
> }
> # $3rd Field - date When account was created
> #------------------------------------------
> $AC = $($prop.whencreated)
> $AccountCreated = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}"
> -f($AC)
> $3rdField = "$AccountCreated" + ","
>
> # $4th Field - Password Last Set
> #---------------------------------------------------------- #Convert
> the large Integer format into a readable date
>
> $LI = [datetime]::FromFileTimeUTC( $($prop.pwdlastset[0]) )
> $PWLSet = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f
> ($LI)
> $4thField = "$PWLSet" + ","
>
> # $5th Field - Was Administrator last person to change Password?
> #--------------------------------------------------------------
>
> $5thField = ""
>
> IF ("$AccountCreated" -match "$PWLSet") {
> $5thField = "****PASSWORD NOT CHANGED SINCE ACCOUNT SETUP****" +
> ","
> } ELSE {
> Foreach($event in $events) { # from constants section at start
> $E = $event.PasswordLastSet
>
> $N = $event.CallerUserName
>
> IF (("$E" -match "$PWLSet") -and ("$N" -ne "$($prop.name)")) {
> $5thField = "****PASSWORD last Changed by " + "$N" + "****" +
> ","
> }
> }
> }
> $strOutputString = "$1stField" + "$2ndField" + "$3rdField" +
> "$4thField" + "$5thField"
>
> $strOutputString | out-file -filepath $CSVFilePath -encoding ascii
> -append
>
> }
>
> "Shay Levi" wrote:
>

>> What are the types of $N, $P, etc? (e.g $N.gettype())
>>
>> Doe's the same happens when you run:
>>
>> $N=@{name="CallerUserName";expression={$_.callerusername}}
>> $P=@{name="PasswordLastSet";expression={$_.passwordlastset}}
>> $ADSIUser
>> =@{name="ADSIUserName";expression={$usersnameobtainedfromADSI}}
>>
>> $events | select $N,$P,$ADSIUser | format-table -auto
>>
>> -----
>> Shay Levi
>> $cript Fanatic
>> http://scriptolog.blogspot.com

>>> Thanks Shay there's nothing else I believe coming into the second
>>> loop that would effect it - I hav tried with both $null and "" and
>>> the code works fine until there is an earlier entry picked up - I
>>> test this by changing the password of same user in quickish
>>> succesion and running against a certain -newest no of eventlog
>>> entries knowing I will pick them both up - therefore the earlier one
>>> shouldnn't match the passwordlastset adsi value, although it would
>>> match -ne to username).
>>>
>>> Yes thanks for the write-host and -ieq tip.
>>>
>>> "Shay Levi" wrote:
>>>
>>>> It's hard to say just from viewing the code sample. You can try to
>>>> assign the variables to $null or "" in each iteration.
>>>>
>>>> BTW, -ine (case-insensitive comparison) is the same as -ne. Also,
>>>> if $N and $usersnameobtainedfromADSI are strings then you don't
>>>> need to concatenate the variables:
>>>>
>>>> write-host "$N" + " was the last person to change the password of "
>>>> + "$usersnameobtainedfromADSI"
>>>>
>>>> You can simply write:
>>>>
>>>> write-host "$N was the last person to change the password of
>>>> $usersnameobtainedfromADSI"
>>>>
>>>> -----
>>>> Shay Levi
>>>> $cript Fanatic
>>>> http://scriptolog.blogspot.com
>>>>> I have having the following problem:
>>>>>
>>>>> I have an array say $events
>>>>> i obtained from get-eventlog (which say returns a number of events
>>>>> matching
>>>>> the criteria set)
>>>>> when displayed it will give something like
>>>>> {passwordlastset: 15\12\70 callerusername: administrator}
>>>>> I am basically trying to write only where the passwordlastchanged
>>>>> criteria match and the user did not change the password himself
>>>>> from similar code to below:
>>>>>
>>>>> foreach ($objuser in $AD)
>>>>> {
>>>>> foreach ($event in $events)
>>>>> {
>>>>> $P = $event.passwordlastset
>>>>> $N = $event.callerusername
>>>>> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
>>>>> $usersnameobtainedfromADSI)
>>>>> {
>>>>> write-host "$N" + " was the last person to change the password of
>>>>> "
>>>>> +
>>>>> "$usersnameobtainedfromADSI"
>>>>> }
>>>>> }
>>>>> }
>>>>> The problem I have is it will hit the first person who meets the
>>>>> criteria and write as expected but also the same info for each and
>>>>> every user thereafter - any help would be much appreciated as I
>>>>> have
>>>>> tried a number of things all to no avail

Thanks Shay I will sit down and go through your tips and certainly take them
onboard

My next challenge is to interrogate 2 DCs in a Domain - this script runs
happily against one dc in a test domain - also as the security event log is
liable to being overwritten I will have to save the csv files and loop
through a number of historical ones to make sure info is accurate - I reckon
it will probably be easier to combine the two output files after running on
each DC - all this will be scheduled to run daily - that should test my
knowledge!


--
jobbsy@xxxxxx


"Shay Levi" wrote:

> Hi Jobbsy,
>
> Glad you could resolve it :-)
>
> Generally, I would avoid keeping/running files from any desktop, the path
> is too deep any you may encounter permission errors.
>
> 1. You can embed $strDate inside double quotes string and it will expand
> its value.
> $CSVFilePath = "C:\Documents and Settings\All Users\Desktop\SwapClearITD_users_$strDate.csv"
>
> 2. Test-Path determines whether all elements of a path exist. It checks for
> one file/directory based on leaf/container value of -pathType parameter.
> It doesn't check for ALL (*.CSV) files. If you want to delete all CSV
> files before starting use 'get-childitem -filter *.csv | remove-item -force'
>
> To test for a file existence use:
> test-path -path c:\scripts\$strDate.csv -pathType leaf
>
> For directory:
> test-path -path c:\scripts -pathType Container
>
> Execute 'get-help test-path -full' to get full available help
>
> 3. You can format dates easily with the -format operator, its much more concise
> then $AccountCreated assignment:
> PS > get-date -f "dd/MM/yyyy hh:mm:ss"
> 19/11/2007 11:36:08
>
> The same can be applied when you retrieve events from a log file:
> PS > $e= get-eventlog application -new 1
> PS> $e.TimeWritten -f "dd/MM/yyyy hh:mm:ss"
> 19/11/2007 11:36:08
>
> 4. '$AC = $($prop.whencreated)' is the same as '$AC = $prop.whencreated'.
> Generally, You use the $($prop.member) subexpression expansion notation
> when you need to expand the variable inside of a string.
>
> You can't write this:
> PS > write-host "PowerShell current culture is: $Host.CurrentCulture"
> PowerShell current culture is: System.Management.Automation.Internal.Host.InternalHost.CurrentCulture
>
> This works:
> PS > write-host "Working directory path is $($Host.CurrentCulture)"
> PowerShell current culture is: he-IL
>
>
>
>
> HTH
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>
>

> > Thanks for your help Shay I was able to figure it out (I needed the
> > 5thField outside of the events loop from my finished code below - you
> > were right without seeing all the code you could not have
> > troubleshooted that - but appreciated your input - I'm sure this is
> > not the most professional code ever but it works! - Thanks again
> >
> > #INITIALISATION SECTION
> > #----------------------
> > #Clear the Windows command console screen
> > Clear-Host
> > #CONSTANTS SECTION
> > #-----------------
> > $strDate = get-date -uformat "%Y-%m-%d"
> > $CSVFilePath = 'c:\Documents and Settings\All
> > Users\Desktop\SwapClearITD_users_'+$strDate+'.csv'
> > #Delete previous file if exists
> > $RetVal = Test-Path 'c:\Documents and Settings\All Users\Desktop\' |
> > where-object {$_.name -like "*.CSV"}
> > If ($RetVal = 'True')
> > {
> > Remove-Item 'c:\Documents and Settings\All Users\Desktop\*.CSV'
> > }
> > #Creates new dated file and specifies header for CSV.
> > $strOutputString = "User,Member Of Group,Account Created,Password last
> > changed"
> > $strOutputString | out-file -Width 2147483647 -filepath $CSVFilePath
> > -encoding ascii
> > #Retrieve Events for Administrator Password Changes
> >
> > [regex]$regEx = ('\:\s+')
> > $events = @()
> > get-eventlog Security -newest 2000 |
> > where {$_.eventID -eq '642'} |
> > % {
> > $obj = new-object psObject
> > switch -regex ($_.message.split("`n")) {
> > '^\s*Password Last Set\:' {
> > add-member NoteProperty -name PasswordLastSet `
> > -value $($regEx.split($_)[1]).trim() -in $obj
> > }
> > '^\s*Caller User Name\:' {
> > add-member NoteProperty -name CallerUserName `
> > -value $($regEx.split($_)[1]).trim() -in $obj
> > }
> > }
> > $events += $obj
> > }
> > #FUNCTIONS & FILTERS SECTION
> > #----------------------------
> > #MAIN PROCESSING SECTION
> > #-----------------------
> > $Dom = 'LDAP://OU=test,DC=vmware,DC=vm'
> > $Root = New-Object DirectoryServices.DirectoryEntry $Dom
> > $i=0
> > # Create a selector and start searching from the Root of AD
> > $selector = New-Object DirectoryServices.DirectorySearcher
> > $selector.SearchRoot = $root
> > $selector.pagesize = 1000
> > $adobj= $selector.findall() |`
> > where {$_.properties.objectcategory -match "CN=Person"}
> > foreach ($person in $adobj) {
> > $prop=$person.properties
> > $i++
> > $1stField = "$($prop.name)" + ","
> >
> > # $2nd Field - Member Of
> > #---------------------------------------------------------
> > IF ("$($prop.memberof)" -match "CN=*") {
> > #Remove the "CN=, OU=TEST," etc & just keep name of group at front of
> > DN
> > $s = "$($prop.memberof)"
> > $firstdivofDN,$seconddivofDN,$thirddivofDN =
> > ([regex]'=(.+?),').matches($s) | foreach {$_.Groups[1].Value}
> > $2ndField = "$firstdivofDN" + ","
> > } ELSE {
> > $2ndField = "****NOT A MEMBER OF A GROUP****" + ","
> > }
> > # $3rd Field - date When account was created
> > #------------------------------------------
> > $AC = $($prop.whencreated)
> > $AccountCreated = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}"
> > -f($AC)
> > $3rdField = "$AccountCreated" + ","
> >
> > # $4th Field - Password Last Set
> > #---------------------------------------------------------- #Convert
> > the large Integer format into a readable date
> >
> > $LI = [datetime]::FromFileTimeUTC( $($prop.pwdlastset[0]) )
> > $PWLSet = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f
> > ($LI)
> > $4thField = "$PWLSet" + ","
> >
> > # $5th Field - Was Administrator last person to change Password?
> > #--------------------------------------------------------------
> >
> > $5thField = ""
> >
> > IF ("$AccountCreated" -match "$PWLSet") {
> > $5thField = "****PASSWORD NOT CHANGED SINCE ACCOUNT SETUP****" +
> > ","
> > } ELSE {
> > Foreach($event in $events) { # from constants section at start
> > $E = $event.PasswordLastSet
> >
> > $N = $event.CallerUserName
> >
> > IF (("$E" -match "$PWLSet") -and ("$N" -ne "$($prop.name)")) {
> > $5thField = "****PASSWORD last Changed by " + "$N" + "****" +
> > ","
> > }
> > }
> > }
> > $strOutputString = "$1stField" + "$2ndField" + "$3rdField" +
> > "$4thField" + "$5thField"
> >
> > $strOutputString | out-file -filepath $CSVFilePath -encoding ascii
> > -append
> >
> > }
> >
> > "Shay Levi" wrote:
> >

> >> What are the types of $N, $P, etc? (e.g $N.gettype())
> >>
> >> Doe's the same happens when you run:
> >>
> >> $N=@{name="CallerUserName";expression={$_.callerusername}}
> >> $P=@{name="PasswordLastSet";expression={$_.passwordlastset}}
> >> $ADSIUser
> >> =@{name="ADSIUserName";expression={$usersnameobtainedfromADSI}}
> >>
> >> $events | select $N,$P,$ADSIUser | format-table -auto
> >>
> >> -----
> >> Shay Levi
> >> $cript Fanatic
> >> http://scriptolog.blogspot.com
> >>> Thanks Shay there's nothing else I believe coming into the second
> >>> loop that would effect it - I hav tried with both $null and "" and
> >>> the code works fine until there is an earlier entry picked up - I
> >>> test this by changing the password of same user in quickish
> >>> succesion and running against a certain -newest no of eventlog
> >>> entries knowing I will pick them both up - therefore the earlier one
> >>> shouldnn't match the passwordlastset adsi value, although it would
> >>> match -ne to username).
> >>>
> >>> Yes thanks for the write-host and -ieq tip.
> >>>
> >>> "Shay Levi" wrote:
> >>>
> >>>> It's hard to say just from viewing the code sample. You can try to
> >>>> assign the variables to $null or "" in each iteration.
> >>>>
> >>>> BTW, -ine (case-insensitive comparison) is the same as -ne. Also,
> >>>> if $N and $usersnameobtainedfromADSI are strings then you don't
> >>>> need to concatenate the variables:
> >>>>
> >>>> write-host "$N" + " was the last person to change the password of "
> >>>> + "$usersnameobtainedfromADSI"
> >>>>
> >>>> You can simply write:
> >>>>
> >>>> write-host "$N was the last person to change the password of
> >>>> $usersnameobtainedfromADSI"
> >>>>
> >>>> -----
> >>>> Shay Levi
> >>>> $cript Fanatic
> >>>> http://scriptolog.blogspot.com
> >>>>> I have having the following problem:
> >>>>>
> >>>>> I have an array say $events
> >>>>> i obtained from get-eventlog (which say returns a number of events
> >>>>> matching
> >>>>> the criteria set)
> >>>>> when displayed it will give something like
> >>>>> {passwordlastset: 15\12\70 callerusername: administrator}
> >>>>> I am basically trying to write only where the passwordlastchanged
> >>>>> criteria match and the user did not change the password himself
> >>>>> from similar code to below:
> >>>>>
> >>>>> foreach ($objuser in $AD)
> >>>>> {
> >>>>> foreach ($event in $events)
> >>>>> {
> >>>>> $P = $event.passwordlastset
> >>>>> $N = $event.callerusername
> >>>>> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
> >>>>> $usersnameobtainedfromADSI)
> >>>>> {
> >>>>> write-host "$N" + " was the last person to change the password of
> >>>>> "
> >>>>> +
> >>>>> "$usersnameobtainedfromADSI"
> >>>>> }
> >>>>> }
> >>>>> }
> >>>>> The problem I have is it will hit the first person who meets the
> >>>>> criteria and write as expected but also the same info for each and
> >>>>> every user thereafter - any help would be much appreciated as I
> >>>>> have
> >>>>> tried a number of things all to no avail

>
>
>