Thanks for your help Shay I was able to figure it out (I needed the 5thField
outside of the events loop from my finished code below - you were right
without seeing all the code you could not have troubleshooted that - but
appreciated your input - I'm sure this is not the most professional code ever
but it works! - Thanks again
#INITIALISATION SECTION
#----------------------
#Clear the Windows command console screen
Clear-Host
#CONSTANTS SECTION
#-----------------
$strDate = get-date -uformat "%Y-%m-%d"
$CSVFilePath = 'c:\Documents and Settings\All
Users\Desktop\SwapClearITD_users_'+$strDate+'.csv'
#Delete previous file if exists
$RetVal = Test-Path 'c:\Documents and Settings\All Users\Desktop\' |
where-object {$_.name -like "*.CSV"}
If ($RetVal = 'True')
{
Remove-Item 'c:\Documents and Settings\All Users\Desktop\*.CSV'
}
#Creates new dated file and specifies header for CSV.
$strOutputString = "User,Member Of Group,Account Created,Password last
changed"
$strOutputString | out-file -Width 2147483647 -filepath $CSVFilePath
-encoding ascii
#Retrieve Events for Administrator Password Changes
[regex]$regEx = ('\:\s+')
$events = @()
get-eventlog Security -newest 2000 |
where {$_.eventID -eq '642'} |
% {
$obj = new-object psObject
switch -regex ($_.message.split("`n")) {
'^\s*Password Last Set\:' {
add-member NoteProperty -name PasswordLastSet `
-value $($regEx.split($_)[1]).trim() -in $obj
}
'^\s*Caller User Name\:' {
add-member NoteProperty -name CallerUserName `
-value $($regEx.split($_)[1]).trim() -in $obj
}
}
$events += $obj
}
#FUNCTIONS & FILTERS SECTION
#----------------------------
#MAIN PROCESSING SECTION
#-----------------------
$Dom = 'LDAP://OU=test,DC=vmware,DC=vm'
$Root = New-Object DirectoryServices.DirectoryEntry $Dom
$i=0
# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
$selector.pagesize = 1000
$adobj= $selector.findall() |`
where {$_.properties.objectcategory -match "CN=Person"}
foreach ($person in $adobj) {
$prop=$person.properties
$i++
$1stField = "$($prop.name)" + ","
# $2nd Field - Member Of
#---------------------------------------------------------
IF ("$($prop.memberof)" -match "CN=*") {
#Remove the "CN=, OU=TEST," etc & just keep name of group at front of DN
$s = "$($prop.memberof)"
$firstdivofDN,$seconddivofDN,$thirddivofDN =
([regex]'=(.+?),').matches($s) | foreach {$_.Groups[1].Value}
$2ndField = "$firstdivofDN" + ","
} ELSE {
$2ndField = "****NOT A MEMBER OF A GROUP****" + ","
}
# $3rd Field - date When account was created
#------------------------------------------
$AC = $($prop.whencreated)
$AccountCreated = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f($AC)
$3rdField = "$AccountCreated" + ","
# $4th Field - Password Last Set
#----------------------------------------------------------
#Convert the large Integer format into a readable date
$LI = [datetime]::FromFileTimeUTC( $($prop.pwdlastset[0]) )
$PWLSet = "{00:dd}/{00:MM}/{0000:yyyy} {0:hh}:{0:mm}:{0:ss}" -f ($LI)
$4thField = "$PWLSet" + ","
# $5th Field - Was Administrator last person to change Password?
#--------------------------------------------------------------
$5thField = ""
IF ("$AccountCreated" -match "$PWLSet") {
$5thField = "****PASSWORD NOT CHANGED SINCE ACCOUNT SETUP****" + ","
} ELSE {
Foreach($event in $events) { # from constants section at start
$E = $event.PasswordLastSet
$N = $event.CallerUserName
IF (("$E" -match "$PWLSet") -and ("$N" -ne "$($prop.name)")) {
$5thField = "****PASSWORD last Changed by " + "$N" + "****" + ","
}
}
}
$strOutputString = "$1stField" + "$2ndField" + "$3rdField" + "$4thField" +
"$5thField"
$strOutputString | out-file -filepath $CSVFilePath -encoding ascii -append
}
--
jobbsy@xxxxxx
"Shay Levi" wrote:
> What are the types of $N, $P, etc? (e.g $N.gettype())
>
>
> Doe's the same happens when you run:
>
> $N=@{name="CallerUserName";expression={$_.callerusername}}
> $P=@{name="PasswordLastSet";expression={$_.passwordlastset}}
> $ADSIUser =@{name="ADSIUserName";expression={$usersnameobtainedfromADSI}}
>
> $events | select $N,$P,$ADSIUser | format-table -auto
>
>
> -----
> Shay Levi
> $cript Fanatic
> http://scriptolog.blogspot.com
>
>
>
> > Thanks Shay there's nothing else I believe coming into the second loop
> > that would effect it - I hav tried with both $null and "" and the code
> > works fine until there is an earlier entry picked up - I test this by
> > changing the password of same user in quickish succesion and running
> > against a certain -newest no of eventlog entries knowing I will pick
> > them both up - therefore the earlier one shouldnn't match the
> > passwordlastset adsi value, although it would match -ne to username).
> >
> > Yes thanks for the write-host and -ieq tip.
> >
> > "Shay Levi" wrote:
> >
> >> It's hard to say just from viewing the code sample. You can try to
> >> assign the variables to $null or "" in each iteration.
> >>
> >> BTW, -ine (case-insensitive comparison) is the same as -ne. Also, if
> >> $N and $usersnameobtainedfromADSI are strings then you don't need to
> >> concatenate the variables:
> >>
> >> write-host "$N" + " was the last person to change the password of " +
> >> "$usersnameobtainedfromADSI"
> >>
> >> You can simply write:
> >>
> >> write-host "$N was the last person to change the password of
> >> $usersnameobtainedfromADSI"
> >>
> >> -----
> >> Shay Levi
> >> $cript Fanatic
> >> http://scriptolog.blogspot.com
> >>> I have having the following problem:
> >>>
> >>> I have an array say $events
> >>> i obtained from get-eventlog (which say returns a number of events
> >>> matching
> >>> the criteria set)
> >>> when displayed it will give something like
> >>> {passwordlastset: 15\12\70 callerusername: administrator}
> >>>
> >>> I am basically trying to write only where the passwordlastchanged
> >>> criteria match and the user did not change the password himself from
> >>> similar code to below:
> >>>
> >>> foreach ($objuser in $AD)
> >>> {
> >>> foreach ($event in $events)
> >>> {
> >>> $P = $event.passwordlastset
> >>> $N = $event.callerusername
> >>> IF ($passwordlastsetobtainedfromADSI -eq $P) -and ($N -ine
> >>> $usersnameobtainedfromADSI)
> >>> {
> >>> write-host "$N" + " was the last person to change the password of "
> >>> +
> >>> "$usersnameobtainedfromADSI"
> >>> }
> >>> }
> >>> }
> >>> The problem I have is it will hit the first person who meets the
> >>> criteria and write as expected but also the same info for each and
> >>> every user thereafter - any help would be much appreciated as I have
> >>> tried a number of things all to no avail >
>
>