Assuming you have the distinguishedName in your hand (or, in a variable called. say $dn) then another approach would be to:
$user = get-aduser $dn $user.sAMAccountName From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, July 28, 2016 3:55 pm To: [email protected] Subject: [powershell] RE: Parsing Event Log XML and RegEx Issue: I would do this, this way. But different strokes, different folks. Just a couple comments: [xml]$xml = gc .\ExampleEvent.xml $result = $xml.Objs.Obj.MS.S.'#text' $result = $result.Replace( '_x000D_', "`r" ).Replace( '_x000A_', "`n" ).Replace( '_x0009_', "`t" ) $result A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-335783171-3454459487-4016881208-105143 Account Name: AdminTest Account Domain: DOMAIN Logon ID: 0x49856394 Member: Security ID: S-1-5-21-335783171-3454459487-4016881208-140732 Account Name: CN=SmithTest\, John,OU=Test OU,DC=domain,DC=org Group: Security ID: S-1-5-21-335783171-3454459487-4016881208-140733 Group Name: Test User Add Group Group Domain: DOMAIN Additional Information: Privileges: - Parsing $result is a trivial exercise left for the reader. :) In regards to processing SIDs: function ConvertTo-DomainUser { Param( [Parameter( Mandatory = $true ) ] [string] $sid ) $objSID = New-Object System.Security.Principal.SecurityIdentifier( $sid ) $objUser = $objSID.Translate( [System.Security.Principal.NTAccount] ) $objUser.Value } Enjoy! From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Thursday, July 28, 2016 4:46 PM To: '[email protected]' Subject: [powershell] Parsing Event Log XML and RegEx Issue: All: I was attempting to monitor several sensitive AD groups for user additions/removals. I ended up configuring our monitoring solution to handle it, but I feel I was 95% of the way there with PowerShell. Because I spent so much time I want to see this through to the end. I'm attempting to pull this type of information directly from the Security Event Log on our DCs. I have been able to retrieve the majority of the information I want but I am failing to convert the distinguished name of the user into their SamAccountname. I am attempting to gather the following information to pass back to me: Date, Domain Controller, SamAccountname added, SamAccountname performing the add, and the group name user was added to. Here is the part of my script that gathers the relevant information I'm looking for: # Gather security event info [xml]$xml = Get-Content C:\Testevent.xml # Event Time $Time = $xml.Objs.Obj.Props.DT.'#text' $Date = (Get-Date $Time -Format g) # DC Logging Event $SrvObj = $xml.Objs.Obj.Props.S | ? {$_.N -like "MachineName"} $Server = $SrvObj.'#text' # Store properties of Event Data $GroupObject = $xml.Objs.obj.props.Obj | ? {$_.N -like "Properties"} # Output $Properties = @{Date = $Date Server = $Server Group = $GroupObject.lst.Obj[2].Props.s.'#text' AddedBy = $GroupObject.lst.Obj[6].Props.s.'#text' UserAdded = $GroupObject.lst.obj[0].props.s.'#text'} # Store properties in Custom PSObject $Obj = New-Object -TypeName PSObject -Property $Properties My output looks like this: Where I am having an issue is $GroupObject.lst.obj[0].props.s.'#text' returns the following: CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org However, when I do a Get-ADUser, the distinguished name is like this: CN=JS1234,CN=Users,OU=Example Department,DC=domain,DC=org So I cannot simply filter based on the returned output because it doesn't match the DN returned by Get-ADUser. My initial thought was to take "$GroupObject.lst.obj[0].props.s.'#text'" and via regular expressions get Firstname, Lastname, and OU. I should be able to leverage splatting on the filter command for Get-ADUser and extract the SamAccountname. The regular expression is where I am failing. I am able to grab the last name, but outputting just the first name and then just the OU is where I have not been successful. Having the "\," after SmithTest is what's tripping me up when I try to remove "CN=SmithTest\, John,". If anyone has regex guidance or alternative ideas on how to accomplish the above (for instance, I get the ObjectSID, but I have also failed to convert that into SamAccountname). I'm open to see how others would tackle this. I'm including the XML file containing a single event I have been using to test in case it's helpful. Thank you. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
