Use PowerShell to Audit Logon Authentication Type

Want to know what type of authentication mechanism is being used when users log onto your servers? This script pulls the information from the event logs to determine how users are being authenticated. It uses Get-Winevent with the -FilterXPath parameter. That parameter and what the logon type numeric codes translate to are a couple of things that I haven’t seen much documentation on. The script sorts by server name in ascending order and then by the time in descending order.

I’ve trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog. Click on the images to display them completely.

v-kerb1

By default, most of this information is returned as part of the “Message” property and it doesn’t appear that individual items can be retrieved from it:

v-kerb2

The “Properties” collection allows access to the individual values. Here’s how I determined what position the properties I wanted to use were in:

v-kerb3

As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:

v-kerb4

To determine what value should be used with the -FilterXPath parameter, I searched the event logs for Event ID 4624 and used the information from the XML View tab as shown in the image below:

Want a copy of this script? Download it from the Microsoft TechNet Script Repository.

µ

8 Comments

  1. brujah10

    Reblogged this on Network and System Blog and commented:
    Nice Powershell Script

    Reply
  2. Jeff Wouters

    Nice one! You could even make it faster by using Foreach instead of Foreach-Object…

    Foreach ($Computer in $ComputerName) {Get-Winevent -Computer $_ -FilterXPath “*[System[(EventID=14205)]]” | select @{Name=’Time’;e={$_.TimeCreated.ToString(‘g’)}},@{l=”Logon Type”;e={Get-LogonTypeName $_.Properties[8].Value}},@{l=’Authentication’;e={$_.Properties[10].Value}},@{l=’User Name’;e={$_.Properties[5].Value}},@{l=’Client Name’;e={$_.Properties[11].Value}},@{l=’Client Address’;e={$_.Properties[18].Value}},@{l=’Server Name’;e={$_.MachineName}}} | Sort-Object @{e=”Server Name”;Descending=$false}, @{e=”Time”;Descending=$true}

    Secondly, by introducing PowerShell Workflow (v3 only!) you can execute the code parallel instead of in sequence, which makes it yet even faster… 🙂

    Workflow Get-Events { Foreach -parallel ($Computer in $ComputerName) {Get-Winevent -Computer $_ -FilterXPath “*[System[(EventID=14205)]]” | select @{Name=’Time’;e={$_.TimeCreated.ToString(‘g’)}},@{l=”Logon Type”;e={Get-LogonTypeName $_.Properties[8].Value}},@{l=’Authentication’;e={$_.Properties[10].Value}},@{l=’User Name’;e={$_.Properties[5].Value}},@{l=’Client Name’;e={$_.Properties[11].Value}},@{l=’Client Address’;e={$_.Properties[18].Value}},@{l=’Server Name’;e={$_.MachineName}}} | Sort-Object @{e=”Server Name”;Descending=$false}, @{e=”Time”;Descending=$true} }

    Reply
    • Dan

      Using your workflow code results in a “empty pipe element is not allowed” error for me pointing to the pipe right before the last sort-object command.

      Reply
  3. Dan

    Hi

    I get error Get-WinEvent : Attempted to perform an unauthorized operation.

    Can u help

    Reply
  4. Daniel Matei

    Its not working for me I get:
    Get-Winevent : The data is invalid
    At C:\temp\mac\Verify-Kerberos.ps1:46 char:33
    + $ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -F …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
    + FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

    Get-Winevent : No events were found that match the specified selection criteria.
    At C:\temp\mac\Verify-Kerberos.ps1:46 char:33
    + $ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -F …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

    Reply
  5. VCSekhar Parepalli

    I get the same issue as Daniel Matei above.

    Reply
  6. Ericstl

    I get the Same as Daniel Matei and VCSekhar but only when I run it against a Server 2012 / 2012 R2 machine.

    Reply
  7. Marc

    Had also the “Verify-Kerberos.ps1:46 char:33” error, it look slike in Win2012 there is a limit of Events who can be searched,
    I added “-LogName Security” to line 43 and worked.

    Line 43:
    $ComputerName | ForEach-Object {Get-Winevent -LogName Security -Computer $_ -MaxEvents $Records -FilterXPath “*[System[(EventID=4624)]]” |

    Reply

Leave a Reply

%d bloggers like this: