{"id":8132,"date":"2021-02-05T16:12:38","date_gmt":"2021-02-05T21:12:38","guid":{"rendered":"https:\/\/jdhitsolutions.com\/blog\/?p=8132"},"modified":"2021-02-05T16:12:44","modified_gmt":"2021-02-05T21:12:44","slug":"searching-active-directory-logs-with-powershell","status":"publish","type":"post","link":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/","title":{"rendered":"Searching Active Directory Logs with PowerShell"},"content":{"rendered":"\n
\"\"<\/a><\/figure><\/div>\n\n\n\n

The last few weeks, I've been spending time with Active Directory and automating management tasks with PowerShell. If you go back a page or two of posts, you'll see some of the scripts and functions I've shared. Today, I want to address something that has come up in recent comments related to tracking changes in Active Directory. A logical question is, \"Who made the change?\". I would also want to know \"What did they change?\" PowerShell alone can't get all of these answers. And if you run any decent size Active Directory infrastructure, I would hope you would invest in enterprise-grade management tools. The code I'm sharing is fine for small shops who have no choice but to do their own thing. Or for situations where you need to fill in a gap and address a short-term problem.<\/p>\n\n\n\n

Event Log Digging<\/h2>\n\n\n\n

To get the information you want about who is making changes in Active Directory, you will have to dig into event logs. Specifically, you need to query the Security event log. And to be even more specific, you need to query the Security event log on a domain controller that can write to Active Directory. When an administrator enables a user account on DOM1, an entry is made in the Security event log. Obviously, you won't see the change in the Security event log on DOM2. <\/p>\n\n\n\n

My premise, and the code I'll be showing you, assumes the default event log settings on Windows servers. If you are forwarding logs or managing them with a third-party solution, you'll need to take that into account when looking at my code. The information I'm going to show you is in the Security event log and it is server specific. How you manage these logs is up to you.<\/p><\/blockquote>\n\n\n\n

Before I dig deeper a quick caveat. Every organization has its own policies and procedures for event log management. You can only query for Active Directory related changes if the information hasn't been flushed from the Security event log. This means you might need to make sure your log files are large enough to meet your needs. In my test domain, I ran this command to increase the size to 1GB.<\/p>\n\n\n\n

limit-eventlog\u00a0-LogName\u00a0security\u00a0-ComputerName\u00a0dom2,dom1\u00a0-MaximumSize\u00a01024MB<\/em><\/code><\/pre>\n\n\n\n
User Management Events<\/h2>\n\n\n\n
I'm going to focus on user management events. Each type of event is connected to an event ID. Here's a cheater hashtable I use.<\/p>\n\n\n\n
#\u00a0a\u00a0hashtable\u00a0of\u00a0user\u00a0management\u00a0event\u00a0IDs\u00a0for\u00a0the\u00a0Security\u00a0event\u00a0log<\/em>\n$ADEvent\u00a0=\u00a0@{\n\u00a0\u00a0\u00a0UserChanged\u00a0\u00a0=\u00a04738\n\u00a0\u00a0\u00a0UserCreated\u00a0\u00a0=\u00a04720\n\u00a0\u00a0\u00a0UserDeleted\u00a0\u00a0=\u00a04726\n\u00a0\u00a0\u00a0UserEnabled\u00a0\u00a0=\u00a04722\n\u00a0\u00a0\u00a0UserDisabled\u00a0=\u00a04725\n}<\/code><\/pre>\n\n\n\n
When you manage an AD user account, you might get multiple log entries for the same activity. For example, if you create a user account and enable it, you'll most likely see a UserCreated and UserEnabled event. Probably a UserChanged as well. Keep that in mind.<\/p>\n\n\n\n
To query the event log, I'm going to suggest you learn how to use Get-WinEvent. It offers more querying flexibility, is a little bit faster (I think) and when you get to PowerShell 7 is the only tool you'll have. I'll count on you to read help and examples. In the mean time, here's a sample.<\/p>\n\n\n\n
Get-WinEvent -FilterHashtable @{Logname = 'Security';ID=4720;Starttime=\"2\/1\/2021\"} -ComputerName dom1<\/code><\/pre>\n\n\n\n
This is querying for all user creation event on DOM1 that have been recorded since Feb. 1, 2021.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Let's dive into the message detail.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
The event log entry will show the Subject, the account that is responsible for the activity, and the Target. In this case it looks like Company\\Administrator created Company\\L.Kuja. I have no idea where that account was created but I can always look that up with Get-ADUser.<\/p>\n\n\n\n
While I have this up, I also want to point out the attribute list. When a user account is modified, these are the only attributes that are captured in the event log. If I change a user's Department or Title, that does not get captured by the Security event log. If this kind of audit trail is important to you, that's why you look to third-party management products.<\/p>\n\n\n\n
Get-ADUserAudit<\/h2>\n\n\n\n
With these limitations in mind, I wrote a PowerShell function called Get-ADUserAudit. It has parameters to create a search on one or more domain controllers for different type of user management events that have been logged since a given time.<\/p>\n\n\n\n
Get-ADUserAudit -event created,deleted -since \"2\/1\/2021\"<\/code><\/pre>\n\n\n\n
The default behavior is to search all replica domain controllers.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
The function writes a custom object to the pipeline which has a default  custom format view.  Let me briefly explain the output. The DomainController, Since and EventType properties should be self-evident. The Targets property is a collection of all user accounts that were identified for a particular event.  TargetCount is a quick way to see how many user accounts. In other words, since Feb 1, 5 user accounts were created (or at least logged) on DOM1. Administrators shows all of the admin accounts associated with the events. So in the same period, Administrator, AprilS and ArtD created the accounts. The result won't tell you which administrator created which user account. You'd have to dig back into the event log to get that information.<\/p>\n\n\n\n
Of course, you can customize results however you'd like.<\/p>\n\n\n\n
Get-ADUserAudit -event created,deleted,enabled,disabled -outvariable a | sort-object eventtype | format-table -GroupBy eventtype -Property since,domaincontroller,targetcount<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Or here's a way to summarize events.<\/p>\n\n\n\n
$a | group-object eventtype -ov b | select-object @{Name=\"Since\";Expression={$a[0].Since}},Name,@{Name=\"Total\";Expression = { ($_.group.targetcount | measure-object -sum).sum}}<\/code><\/pre>\n\n\n\n
$A is the saved result from my earlier command.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
If this was something I wanted to run often, I would create a control script to save some typing. I could even take it further, because I can't help myself, and set it up as a scheduled job to create an HTML version and email it.<\/p>\n\n\n\n
Where's the Code?<\/h2>\n\n\n\n
If you would like to see how I did all of this, or grab the code so you can try it out yourself, you can download the files from this Github gist<\/a>. On a related note, you might also be interested in the Convert-EventLogRecord <\/a>command which is part of the PSScriptTools module. This command makes it easier to parse out information from event log records.<\/p>\n\n\n\n
Get-WinEvent\u00a0-FilterHashtable\u00a0@{Logname\u00a0=\u00a0'Security';ID=4720;Starttime=\"2\/1\/2021\"}\u00a0-ComputerName\u00a0dom2\u00a0|\u00a0\nConvert-EventLogRecord\u00a0|\u00a0\u00a0\nFormat-table\u00a0-GroupBy\u00a0Computername\u00a0-Property\u00a0ID,TimeCreated,\n@{Name=\"Admin\";Expression={\"$($_.SubjectDomainName)\\$($_.SubjectUsername)\"}},\n@{Name=\"Account\";Expression\u00a0=\u00a0{\u00a0(Get-ADuser\u00a0$_.samaccountname).DistinguishedName\u00a0}}<\/code><\/pre>\n\n\n\n
Now I can clearly see which administrator created which account.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Let me know what you think or if any of this is helpful.<\/p>\n","protected":false},"excerpt":{"rendered":"
The last few weeks, I’ve been spending time with Active Directory and automating management tasks with PowerShell. If you go back a page or two of posts, you’ll see some of the scripts and functions I’ve shared. Today, I want to address something that has come up in recent comments related to tracking changes in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"New on the blog: Searching Active Directory Logs with #PowerShell","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,4,8,62],"tags":[226,263,534],"class_list":["post-8132","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-powershell","category-scripting","category-security","tag-eventlog","tag-get-winevent","tag-powershell"],"yoast_head":"\nSearching Active Directory Logs with PowerShell • The Lonely Administrator<\/title>\n<meta name=\"description\" content=\"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Searching Active Directory Logs with PowerShell • The Lonely Administrator\" \/>\n<meta property=\"og:description\" content=\"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/\" \/>\n<meta property=\"og:site_name\" content=\"The Lonely Administrator\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-05T21:12:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-02-05T21:12:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png\" \/>\n<meta name=\"author\" content=\"Jeffery Hicks\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:site\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffery Hicks\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/\"},\"author\":{\"name\":\"Jeffery Hicks\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"headline\":\"Searching Active Directory Logs with PowerShell\",\"datePublished\":\"2021-02-05T21:12:38+00:00\",\"dateModified\":\"2021-02-05T21:12:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/\"},\"wordCount\":1000,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/UserAccount_UserAccountC01.png\",\"keywords\":[\"eventlog\",\"Get-WinEvent\",\"PowerShell\"],\"articleSection\":[\"Active Directory\",\"PowerShell\",\"Scripting\",\"security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/\",\"name\":\"Searching Active Directory Logs with PowerShell • The Lonely Administrator\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/UserAccount_UserAccountC01.png\",\"datePublished\":\"2021-02-05T21:12:38+00:00\",\"dateModified\":\"2021-02-05T21:12:44+00:00\",\"description\":\"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/UserAccount_UserAccountC01.png\",\"contentUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/UserAccount_UserAccountC01.png\",\"width\":402,\"height\":386},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8132\\\/searching-active-directory-logs-with-powershell\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"PowerShell\",\"item\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/category\\\/powershell\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Searching Active Directory Logs with PowerShell\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/\",\"name\":\"The Lonely Administrator\",\"description\":\"Practical Advice for the Automating IT Pro\",\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\",\"name\":\"Jeffery Hicks\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"caption\":\"Jeffery Hicks\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Searching Active Directory Logs with PowerShell • The Lonely Administrator","description":"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/","og_locale":"en_US","og_type":"article","og_title":"Searching Active Directory Logs with PowerShell • The Lonely Administrator","og_description":"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.","og_url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/","og_site_name":"The Lonely Administrator","article_published_time":"2021-02-05T21:12:38+00:00","article_modified_time":"2021-02-05T21:12:44+00:00","og_image":[{"url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png","type":"","width":"","height":""}],"author":"Jeffery Hicks","twitter_card":"summary_large_image","twitter_creator":"@JeffHicks","twitter_site":"@JeffHicks","twitter_misc":{"Written by":"Jeffery Hicks","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#article","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/"},"author":{"name":"Jeffery Hicks","@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"headline":"Searching Active Directory Logs with PowerShell","datePublished":"2021-02-05T21:12:38+00:00","dateModified":"2021-02-05T21:12:44+00:00","mainEntityOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/"},"wordCount":1000,"commentCount":2,"publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#primaryimage"},"thumbnailUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png","keywords":["eventlog","Get-WinEvent","PowerShell"],"articleSection":["Active Directory","PowerShell","Scripting","security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/","url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/","name":"Searching Active Directory Logs with PowerShell • The Lonely Administrator","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#primaryimage"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#primaryimage"},"thumbnailUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png","datePublished":"2021-02-05T21:12:38+00:00","dateModified":"2021-02-05T21:12:44+00:00","description":"Here's how I'm querying Active Directory domain controllers with PowerShell to track user management events in the Security event log.","breadcrumb":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#primaryimage","url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png","contentUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/02\/UserAccount_UserAccountC01.png","width":402,"height":386},{"@type":"BreadcrumbList","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8132\/searching-active-directory-logs-with-powershell\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"PowerShell","item":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},{"@type":"ListItem","position":2,"name":"Searching Active Directory Logs with PowerShell"}]},{"@type":"WebSite","@id":"https:\/\/jdhitsolutions.com\/blog\/#website","url":"https:\/\/jdhitsolutions.com\/blog\/","name":"The Lonely Administrator","description":"Practical Advice for the Automating IT Pro","publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jdhitsolutions.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9","name":"Jeffery Hicks","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","caption":"Jeffery Hicks"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg"}}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":148,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/148\/order-managing-active-directory-with-windows-powershell-tfm-finally\/","url_meta":{"origin":8132,"position":0},"title":"Order Managing Active Directory with Windows PowerShell: TFM – Finally!","author":"Jeffery Hicks","date":"September 22, 2008","format":false,"excerpt":"Yes, its finally true. You can finally get your hands on Managing Active Directory with Windows PowerShell: TFM. The book is being printed so you can get your copy today. You can order it today at ScriptingOutpost.com in both print and ebook format. Or if you prefer the best of\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2856,"url":"https:\/\/jdhitsolutions.com\/blog\/active-directory\/2856\/techdays-san-francisco\/","url_meta":{"origin":8132,"position":1},"title":"TechDays San Francisco","author":"Jeffery Hicks","date":"March 12, 2013","format":false,"excerpt":"I'm very excited to announce that I'll be presenting at TechDays San Francisco this year. The event runs May 2nd and 3rd. You can find the schedule here. Registration will be forthcoming. Seating will be limited so you won't want to delay once it opens up. As you might expect\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/jdhitsolutions.com\/blog\/category\/active-directory\/"},"img":{"alt_text":"talkbubble-v3","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2012\/05\/talkbubble-v3-150x150.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1036,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/1036\/join-me-in-orlando\/","url_meta":{"origin":8132,"position":2},"title":"Join Me in Orlando","author":"Jeffery Hicks","date":"December 30, 2010","format":false,"excerpt":"I will be presenting 3 sessions at Techmentor Orlando 2011. The conference runs March 14-18, 2011 at the Disney Yacht Club. My sessions are all on Wednesday March 16. In addition to all the other fabulous material at the conference I will be presenting the following: PowerShell Scripting Best Practices\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/jdhitsolutions.com\/blog\/category\/active-directory\/"},"img":{"alt_text":"Disney Yacht Club","src":"https:\/\/i0.wp.com\/techmentorevents.com\/design\/ecg\/techmentorevents\/home\/img\/portal_2011spring.gif?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":8270,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8270\/active-directory-group-reporting\/","url_meta":{"origin":8132,"position":3},"title":"Active Directory Group Reporting","author":"Jeffery Hicks","date":"March 31, 2021","format":false,"excerpt":"I've pushed v1.2.0 of the ADReportingTools module to the PowerShell Gallery. The release adds the missing help for Get-ADComputerReport. I've also added better documentation and information in warning messages when running commands in the PowerShell ISE or VS Code. To re-iterate, the module is designed to be run from a\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/jdhitsolutions.com\/blog\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/03\/Collection_DomainGroup01-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1885,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/1885\/updating-multi-valued-active-directory-properties-part-1\/","url_meta":{"origin":8132,"position":4},"title":"Updating Multi-Valued Active Directory Properties Part 1","author":"Jeffery Hicks","date":"December 8, 2011","format":false,"excerpt":"Yesterday on Twitter, I got a tweet from @Docsmooth regarding how to update a multivalued property in Active Directory. There are a number of ways to handle this, especially from PowerShell naturally, so I tweeted one way in a series of tweets. But that's a hard way to learn something,\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/jdhitsolutions.com\/blog\/category\/active-directory\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2988,"url":"https:\/\/jdhitsolutions.com\/blog\/active-directory\/2988\/techdays-sf-presentations\/","url_meta":{"origin":8132,"position":5},"title":"TechDays SF Presentations","author":"Jeffery Hicks","date":"May 6, 2013","format":false,"excerpt":"Last week I presented a number of sessions at TechDays in beautiful San Francisco. Met some great people and had a great time. I presented 4 talks, almost all of them PowerShell-related. Actually, they all had some type of PowerShell content. I'm happy to share my session slides and PowerShell\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/jdhitsolutions.com\/blog\/category\/active-directory\/"},"img":{"alt_text":"TechDays_logo250","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/05\/TechDays_logo250.gif?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/8132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/comments?post=8132"}],"version-history":[{"count":0,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/8132\/revisions"}],"wp:attachment":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/media?parent=8132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/categories?post=8132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/tags?post=8132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}