Use PowerShell to Audit Logon Authentication Type
Want to know what type of authentication mechanism is being used when users log onto your servers?
This script pulls the information from the event logs to determine how users are being
authenticated. It uses Get-Winevent
with the FilterXPath
parameter. That parameter and what the
logon type numeric codes translate to are a couple of things that I haven't seen much documentation
on. The script sorts by server name in ascending order and then by the time in descending order.
1<#
2.SYNOPSIS
3Verify-Kerberos
4.DESCRIPTION
5Verify-Kerberos is used to pull the logon events from the event log of specific servers to determine what type of authentication mechanism is being used. Examples are NTLM and Kerberos.
6.PARAMETER ComputerName
7Specify remote server names to check. Default: The Local Computer
8.PARAMETER Records
9Specify the maximum number of events to be retrieved from each computer. Default: 10
10.EXAMPLE
11.\Verify-Kerberos.ps1 -ComputerName server1 | Format-Table -AutoSize
12Retrieve 10 logon events from server1 and display them on the screen in a table.
13.EXAMPLE
14.\Verify-Kerberos.ps1 -ComputerName server1, server2 -Records 30 | Export-Csv -NoTypeInformation -Path d:\tmp\voyager-kerberos_test.csv
15Retrieve 30 logon events from server1 and 30 from server2. Save the results as a CSV file located in the specified path.
16.Notes
17LastModified: 5/30/2012
18#author: Mike F Robbins
19#>
20param (
21$ComputerName = $Env:ComputerName,
22$Records = 10
23)
24function Get-LogonTypeName {
25Param($LogonTypeNumber)
26switch ($LogonTypeNumber) {
270 {"System"; break;}
282 {"Interactive"; break;}
293 {"Network"; break;}
304 {"Batch"; break;}
315 {"Service"; break;}
326 {"Proxy"; break;}
337 {"Unlock"; break;}
348 {"NetworkCleartext"; break;}
359 {"NewCredentials"; break;}
3610 {"RemoteInteractive"; break;}
3711 {"CachedInteractive"; break;}
3812 {"CachedRemoteInteractive"; break;}
3913 {"CachedUnlock"; break;}
40default {"Unknown"; break;}
41}
42}
43$ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -FilterXPath "*[System[(EventID=4624)]]" |
44select @{Name='Time';e={$_.TimeCreated.ToString('g')}},
45@{l="Logon Type";e={Get-LogonTypeName $_.Properties[8].Value}},
46@{l='Authentication';e={$_.Properties[10].Value}},
47@{l='User Name';e={$_.Properties[5].Value}},
48@{l='Client Name';e={$_.Properties[11].Value}},
49@{l='Client Address';e={$_.Properties[18].Value}},
50@{l='Server Name';e={$_.MachineName}}} |
51Sort-Object @{e="Server Name";Descending=$false}, @{e="Time";Descending=$true}
I've trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog.
1.\Verify-Kerberos.ps1 -ComputerName mail, web1, vmhost | ft -auto
By default, most of this information is returned as part of the Message
property and it doesn't
appear that individual items can be retrieved from it:
1Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]" | fl
The Properties
collection allows access to the individual values. Here's how I determined what
position the properties I wanted to use were in:
1(Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]").Properties
As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:
1.\Verify-Kerberos.ps1 -Records 1 | ft -auto
To determine what value should be used with the FilterXPath
parameter, I searched the event logs
for Event ID 4624 and used the information from the XML View tab as shown in the image below:
µ