Sunday, June 29, 2014

Instructions for creating Dial-in conference in Lync

This manual describes how to setup your server Lync 2013 to prepare for the conference with analog abonent. Are also briefly Asterisk server setup. For a conference on the Lync 2013 and an Asterisk reserved extension 2000.
  1. Open Lync Topology Builder, download config, create a PSTN gateways



  2. Edit poll property, mark checkbox Dial-in (PSTN) conferencing
  3. Publish Topology and run “Lync Server Deployment Wizard – Install or Update lync Server System – Setup or Remove Lync Server Components” on servers
  4. Run Microsoft Lync Server 2013 Control Panel, go to conferencing – Dial-in Access Number and create New number

    Define ext number
  5. Go to Voice Routing – Dial Plan and configure Normalization rule for Global dial plan – name Local Extensions
  6. Edit Site dial plan – select Normalization rule Local Extensions, and press commit all
  7. Next edit Voice Routing – Voice Policy, create New Associated PSTN Usage
  8. Create Route, add Associated trunks

  9. Go to Asterisk to configure incoming calls:
               sip.conf:
    [general]
    context=incoming                 ; Default context for incoming calls
    allowguest=no                  ; Allow or reject guest calls (default is yes)
    allowoverlap=no                 ; Disable overlap dialing support. (Default is yes)
    allowtransfer=no               ; Disable all transfers (unless enabled in peers or users)
    bindport=5060                   ; UDP Port to bind to (SIP standard port is 5060)
    bindaddr=0.0.0.0                ; IP address to bind to (0.0.0.0 binds to all)
    srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
    disallow=all
    allow=ulaw
    allow=alaw
    localnet=x.x.x.x/x.x.x.x
    externalip=x.x.x.x
    canreinvite => no                                                                   

    [Lync_Trunk]                   ; Our Lync trunk
    type=friend
    port=5068                      ; This is the default Lync Server TCP listening port
    host=x.x.x.x             ; This should be the IP address of your Lync Server
    dtmfmode=rfc2833
    context=from-lync
    nat=yes
    qualify=yes
    transport=tcp

    extensions.conf:                                                                 
    [incoming]
    exten => s,1,Answer
    exten => s,n,Background(ent-target-attendant)
    exten => s,n,WaitExten(5)
    exten => s,n,Background(conf-placeintoconf)
    exten => s,n,Dial(SIP/Lync_Trunk/2000,20)
    exten => _200X,1,Dial(SIP/Lync_Trunk/${EXTEN},20)
    exten => i,1,Playback(pbx-invalid)
    exten => i,n,Goto(incoming,s,1)

    [from-lync]
    exten=>_.,1,Dial(${OUTBOUNDTRUNK}/${EXTEN},tT)
    exten=>_.,n,Congestion()
    exten=>_.,n,hangup()
Posted by at No comments:
Labels: ,

Wednesday, June 11, 2014

Script audit of basic events (create/delete user, create/delete group, change membership in group, create computer) in Active Directory.

Security log 32-bit Windows can be no larger than 512 MB. In the 64-bit version of the Security log size increased to 4 GB. So I want to share a script that checks the logs DCs and stores ".csv" file, the following events:
1. user added to a group,
2. user deleted from the group
3. user created,
4. user deleted,
5. group created,
6. group deleted,
7. computer generated

Pre to your computer to install the Active Directory module in PowerShell (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) And Log Parser 2.2 (http://www.microsoft.com/en-us/download/details.aspx?id=24659). At the beginning of the script you need to specify the domain (in example "contoso.com").
Execution of the script, you can schedule such as every 2 hours.

Download script


Import-Module ActiveDirectory -ErrorAction SilentlyContinue

$id = new-object 'System.DirectoryServices.ActiveDirectory.DirectoryContext'("domain", "contoso.com")
$dcs_id = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($id)
$LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"

function DelLFile([string] $path)
{
    $LFile = get-content $Path | measure-object -line
    if ($LFile.lines -eq 1)
    {
        write-host "Log file empty and deleted"
        Remove-Item $path
    }
}

### Add User to group in domain ID
$LastResults = $LastResults2 = $LastTime = $LogTime = $LogFolder = $LogFile = @()

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "AddUserToGorup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\AddUserToGorup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults2 = import-csv $LastResults
    $LastTime = ($LastResults2.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,Group,NewMember,AddedBy`n"


foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        $LastTime
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4728;4732;4756)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (4728;4732;4756))""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LogParserStr
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        $LastTime
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (660;632;636)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (660;632;636))""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LogParserStr
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete User from group in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelUserFromGorup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelUserFromGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,Group,DelMember,DelBy`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4729;4733;4757)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4729;4733;4757)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (633;637;661))  and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (633;637;661)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create User in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreateUser_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreateUser"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4720) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4720""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=624) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=624""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete User in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelUser_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelUser"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4726) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4726""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=630) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=630""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create Group in domain ID
$i = 1
$h = "ON"
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreateGroup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreateGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4727;4731;4754)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4727;4731;4754)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (631;658;635)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (631;658;635)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete Group in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelGroup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4730;4734;4758)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4730;4734;4758)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (634;638;662)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (634;638;662)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create PC in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreatePC_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreatePC"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,PCName,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 4741) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 4741""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 645) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 645""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)