Use PowerShell to Audit Logon Authentication Type

Want to know what type of authentication mechanism is being used when users log onto your servers? This script pulls the information from the event logs to determine how users are being authenticated. It uses Get-Winevent with the FilterXPath parameter. That parameter and what the logon type numeric codes translate to are a couple of things that I haven't seen much documentation on. The script sorts by server name in ascending order and then by the time in descending order.

 1<#
 2.SYNOPSIS
 3Verify-Kerberos
 4.DESCRIPTION
 5Verify-Kerberos is used to pull the logon events from the event log of specific servers to determine what type of authentication mechanism is being used. Examples are NTLM and Kerberos.
 6.PARAMETER ComputerName
 7Specify remote server names to check. Default: The Local Computer
 8.PARAMETER Records
 9Specify the maximum number of events to be retrieved from each computer. Default: 10
10.EXAMPLE
11.\Verify-Kerberos.ps1 -ComputerName server1 | Format-Table -AutoSize
12Retrieve 10 logon events from server1 and display them on the screen in a table.
13.EXAMPLE
14.\Verify-Kerberos.ps1 -ComputerName server1, server2 -Records 30 | Export-Csv -NoTypeInformation -Path d:\tmp\voyager-kerberos_test.csv
15Retrieve 30 logon events from server1 and 30 from server2. Save the results as a CSV file located in the specified path.
16.Notes
17LastModified: 5/30/2012
18#author: Mike F Robbins
19#>
20param (
21$ComputerName = $Env:ComputerName,
22$Records = 10
23)
24function Get-LogonTypeName {
25Param($LogonTypeNumber)
26switch ($LogonTypeNumber) {
270 {"System"; break;}
282 {"Interactive"; break;}
293 {"Network"; break;}
304 {"Batch"; break;}
315 {"Service"; break;}
326 {"Proxy"; break;}
337 {"Unlock"; break;}
348 {"NetworkCleartext"; break;}
359 {"NewCredentials"; break;}
3610 {"RemoteInteractive"; break;}
3711 {"CachedInteractive"; break;}
3812 {"CachedRemoteInteractive"; break;}
3913 {"CachedUnlock"; break;}
40default {"Unknown"; break;}
41}
42}
43$ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -FilterXPath "*[System[(EventID=4624)]]" |
44select @{Name='Time';e={$_.TimeCreated.ToString('g')}},
45@{l="Logon Type";e={Get-LogonTypeName $_.Properties[8].Value}},
46@{l='Authentication';e={$_.Properties[10].Value}},
47@{l='User Name';e={$_.Properties[5].Value}},
48@{l='Client Name';e={$_.Properties[11].Value}},
49@{l='Client Address';e={$_.Properties[18].Value}},
50@{l='Server Name';e={$_.MachineName}}} |
51Sort-Object @{e="Server Name";Descending=$false}, @{e="Time";Descending=$true}

I've trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog.

1.\Verify-Kerberos.ps1 -ComputerName mail, web1, vmhost | ft -auto

v-kerb1.png

By default, most of this information is returned as part of the Message property and it doesn't appear that individual items can be retrieved from it:

1Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]" | fl

v-kerb2.png

The Properties collection allows access to the individual values. Here's how I determined what position the properties I wanted to use were in:

1(Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]").Properties

v-kerb3.png

As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:

1.\Verify-Kerberos.ps1 -Records 1 | ft -auto

v-kerb4.png

To determine what value should be used with the FilterXPath parameter, I searched the event logs for Event ID 4624 and used the information from the XML View tab as shown in the image below:

v-kerb5.png

µ