Find/Replace?

[Woolers]

Hi guys,

I'm using the following that i've cobbled together for helpdesk to get info on account lockouts... what I'm not too sure about is that when it outputs a specific servername (as 'Client Name'), i.e. OURISASERVER - I want it to replace that field with "Mobile Device"... I'm just not too sure how to do that in the following, can someone help at all?

(I've converted this to .exe with ps2exe so the password in it shouldn't be a problem as they can't see the code)

$Admin = "admindomain\adminaccount"
$Password = convertto-securestring "adminpwd" -asplaintext -force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $Admin, $Password
$user = Read-Host "Please enter User Name to look for?"
Write-Host "Searching, Please Wait..." -foregroundcolor "green"
Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Write-Host
Write-Host "Complete!" -foregroundcolor "green"
Write-Host
Write-Host Press Any Key to Quit... -foregroundcolor "Yellow"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

 

[blister911]

Woolers,
I'm not sure I understand what you're wanting to do. Can you provide an output example?

However, from what I think I understand, I believe you need to store the results in a variable, then work with that.

Something like this:

$events = <your event-gathering code>
foreach ($event in $events)
{
 <look for the value you want to change and then change it>
}

Light travels faster than sound. That's why some people appear bright until you hear them speak.

 

[Woolers]

Hi Blister,

So this script grabs events from locked out user accounts & outputs the format as follows:

TimeCreated User Name Client Name
----------- --------- -----------
26/02/2016 07:51:05 lockeduser LockedOutMachine
26/02/2016 07:04:48 lockeduser LockedOutMachine
26/02/2016 06:10:05 lockeduser LockedOutMachine

The problem is that I would like to do a find/replace on the output of this line:

Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Effectively if the output, as above is "LockedoutMachine" (which is a specific server) I want to replace it with "Mobile Device" for instance...

Hope that helps a little more..
Thank you.

 

[blister911]

Does this work for you?

$change_name = "LockedOutMachine"
$new_name = "Mobile Device"

$events = Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

$events | ft
}

Light travels faster than sound. That's why some people appear bright until you hear them speak.

 

[Woolers]

Hi Blister,

That certainly looks like it will work! As soon as I come across a user that has been locked out via our ISA box I'll give it a try!

Many thanks for pointing me in the right direction!

 

[Woolers]

Hi Blister,

Just FYI, this seems to be working fine, however it's outputting twice now.... with the original machine, then the replaced name..

So the output looks like this

TimeCreated User Name Client Name
----------- --------- -----------
26/02/2016 07:51:05 lockeduser LockedOutMachine
26/02/2016 07:04:48 lockeduser LockedOutMachine
26/02/2016 06:10:05 lockeduser LockedOutMachine
26/02/2016 07:51:05 lockeduser Mobile Device
26/02/2016 07:04:48 lockeduser Mobile Device
26/02/2016 06:10:05 lockeduser Mobile Device

Don't suppose you have any idea at all?

 

[blister911]

What does your code look like?

You should have replaced:

Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

with

$change_name = "LockedOutMachine"
$new_name = "Mobile Device"

$events = Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

$events | ft
}

Light travels faster than sound. That's why some people appear bright until you hear them speak.

 

[Woolers]

Hi blister!

Totally forgot about this until now! - Yes I'm afraid it still seems to be showing duplicates... I'm clearly not good with powershell!
Here's the code::

$change_name = "SERVER1"
$change_name2 = "SERVER2"
$change_name3 = "SERVER3"
$new_name = "O365 - Mobile Device/iPad/Android"
$new_name3 = "Mobile Device/iPad/Android"
$Admin = "domain\admin"
$Password = convertto-securestring "adminpwd" -asplaintext -force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $Admin, $Password
$user = Read-Host "Please enter User Name to look for?"
Write-Host "Searching, Please Wait..." -foregroundcolor "green"
$events =  Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCEMULATOR | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}

$events | ft
} 
Write-Host 
Write-Host "Complete!" -foregroundcolor "green"
Write-Host 
Write-Host Press Any Key to Quit... -foregroundcolor "Yellow"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Kind Regards
Woolers

 

[blister911]

This looks like it could be my mistake in the code I provided, earlier.

Try changing this:

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}

[COLOR=#EF2929]$events | ft
}[/color]

To this:

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}
[COLOR=#EF2929]}
$events | ft[/color]

Also, a switch statement may be better for you depending on the number of devices. You wouldn't have to go through all the if statements, then:

foreach ($event in $events)
{
 switch($event."Client Name")
	{
	 {($_ -eq $change_name) -OR ($_ -eq $change_name2)}
		{$event."Client Name" = $new_name; break}
	 {$_ -eq $change_name3}
		{$event."Client Name" = $new_name3; break}
	}
}
$events | ft

Light travels faster than sound. That's why some people appear bright until you hear them speak.

 

[Woolers]

Blister911

You Sir, are brilliant!! - it's now working like a charm.. I used the switch code in it & boom!

Thank you very much indeed!!


Woolers