Want to know what type of authentication mechanism is being used when users log onto your servers? This script pulls the information from the event logs to determine how users are being authenticated. It uses Get-Winevent with the -FilterXPath parameter. That parameter and what the logon type numeric codes translate to are a couple of things that I haven’t seen much documentation on. The script sorts by server name in ascending order and then by the time in descending order.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | <# .SYNOPSIS Verify-Kerberos .DESCRIPTION Verify-Kerberos is used to pull the logon events from the event log of specific servers to determine what type of authentication mechanism is being used. Examples are NTLM and Kerberos. .PARAMETER ComputerName Specify remote server names to check. Default: The Local Computer .PARAMETER Records Specify the maximum number of events to be retrieved from each computer. Default: 10 .EXAMPLE .\Verify-Kerberos.ps1 -ComputerName server1 | Format-Table -AutoSize Retrieve 10 logon events from server1 and display them on the screen in a table. .EXAMPLE .\Verify-Kerberos.ps1 -ComputerName server1, server2 -Records 30 | Export-Csv -NoTypeInformation -Path d:\tmp\voyager-kerberos_test.csv Retrieve 30 logon events from server1 and 30 from server2. Save the results as a CSV file located in the specified path. .Notes LastModified: 5/30/2012 Author: Mike F Robbins #> param ( $ComputerName = $Env:ComputerName, $Records = 10 ) function Get-LogonTypeName { Param($LogonTypeNumber) switch ($LogonTypeNumber) { 0 {"System"; break;} 2 {"Interactive"; break;} 3 {"Network"; break;} 4 {"Batch"; break;} 5 {"Service"; break;} 6 {"Proxy"; break;} 7 {"Unlock"; break;} 8 {"NetworkCleartext"; break;} 9 {"NewCredentials"; break;} 10 {"RemoteInteractive"; break;} 11 {"CachedInteractive"; break;} 12 {"CachedRemoteInteractive"; break;} 13 {"CachedUnlock"; break;} default {"Unknown"; break;} } } $ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -FilterXPath "*[System[(EventID=4624)]]" | select @{Name='Time';e={$_.TimeCreated.ToString('g')}}, @{l="Logon Type";e={Get-LogonTypeName $_.Properties[8].Value}}, @{l='Authentication';e={$_.Properties[10].Value}}, @{l='User Name';e={$_.Properties[5].Value}}, @{l='Client Name';e={$_.Properties[11].Value}}, @{l='Client Address';e={$_.Properties[18].Value}}, @{l='Server Name';e={$_.MachineName}}} | Sort-Object @{e="Server Name";Descending=$false}, @{e="Time";Descending=$true} |
I’ve trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog. Click on the images to display them completely.
1 | .\Verify-Kerberos.ps1 -ComputerName mail, web1, vmhost | ft -auto |
By default, most of this information is returned as part of the “Message” property and it doesn’t appear that individual items can be retrieved from it:
1 | Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]" | fl |
The “Properties” collection allows access to the individual values. Here’s how I determined what position the properties I wanted to use were in:
1 | (Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]").Properties |
As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:
1 | .\Verify-Kerberos.ps1 -Records 1 | ft -auto |
To determine what value should be used with the -FilterXPath parameter, I searched the event logs for Event ID 4624 and used the information from the XML View tab as shown in the image below:
Want a copy of this script? Download it from the Microsoft TechNet Script Repository.
µ
Reblogged this on Network and System Blog and commented:
Nice Powershell Script
Nice one! You could even make it faster by using Foreach instead of Foreach-Object…
Foreach ($Computer in $ComputerName) {Get-Winevent -Computer $_ -FilterXPath “*[System[(EventID=14205)]]” | select @{Name=’Time’;e={$_.TimeCreated.ToString(‘g’)}},@{l=”Logon Type”;e={Get-LogonTypeName $_.Properties[8].Value}},@{l=’Authentication’;e={$_.Properties[10].Value}},@{l=’User Name’;e={$_.Properties[5].Value}},@{l=’Client Name’;e={$_.Properties[11].Value}},@{l=’Client Address’;e={$_.Properties[18].Value}},@{l=’Server Name’;e={$_.MachineName}}} | Sort-Object @{e=”Server Name”;Descending=$false}, @{e=”Time”;Descending=$true}
Secondly, by introducing PowerShell Workflow (v3 only!) you can execute the code parallel instead of in sequence, which makes it yet even faster… 🙂
Workflow Get-Events { Foreach -parallel ($Computer in $ComputerName) {Get-Winevent -Computer $_ -FilterXPath “*[System[(EventID=14205)]]” | select @{Name=’Time’;e={$_.TimeCreated.ToString(‘g’)}},@{l=”Logon Type”;e={Get-LogonTypeName $_.Properties[8].Value}},@{l=’Authentication’;e={$_.Properties[10].Value}},@{l=’User Name’;e={$_.Properties[5].Value}},@{l=’Client Name’;e={$_.Properties[11].Value}},@{l=’Client Address’;e={$_.Properties[18].Value}},@{l=’Server Name’;e={$_.MachineName}}} | Sort-Object @{e=”Server Name”;Descending=$false}, @{e=”Time”;Descending=$true} }
Using your workflow code results in a “empty pipe element is not allowed” error for me pointing to the pipe right before the last sort-object command.
Hi
I get error Get-WinEvent : Attempted to perform an unauthorized operation.
Can u help
Its not working for me I get:
Get-Winevent : The data is invalid
At C:\temp\mac\Verify-Kerberos.ps1:46 char:33
+ $ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -F …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogInvalidDataException
+ FullyQualifiedErrorId : The data is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
Get-Winevent : No events were found that match the specified selection criteria.
At C:\temp\mac\Verify-Kerberos.ps1:46 char:33
+ $ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -F …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
I get the same issue as Daniel Matei above.
I get the Same as Daniel Matei and VCSekhar but only when I run it against a Server 2012 / 2012 R2 machine.
Had also the “Verify-Kerberos.ps1:46 char:33” error, it look slike in Win2012 there is a limit of Events who can be searched,
I added “-LogName Security” to line 43 and worked.
Line 43:
$ComputerName | ForEach-Object {Get-Winevent -LogName Security -Computer $_ -MaxEvents $Records -FilterXPath “*[System[(EventID=4624)]]” |
I confirm it’s running for w2012 with the Marc modification