Use PowerShell to Audit Logon Authentication Type

Want to know what type of authentication mechanism is being used when users log onto your servers? This script pulls the information from the event logs to determine how users are being authenticated. It uses Get-Winevent with the FilterXPath parameter. That parameter and what the logon type numeric codes translate to are a couple of things that I haven't seen much documentation on. The script sorts by server name in ascending order and then by the time in descending order.

 5Verify-Kerberos is used to pull the logon events from the event log of specific servers to determine what type of authentication mechanism is being used. Examples are NTLM and Kerberos.
 6.PARAMETER ComputerName
 7Specify remote server names to check. Default: The Local Computer
 8.PARAMETER Records
 9Specify the maximum number of events to be retrieved from each computer. Default: 10
11.\Verify-Kerberos.ps1 -ComputerName server1 | Format-Table -AutoSize
12Retrieve 10 logon events from server1 and display them on the screen in a table.
14.\Verify-Kerberos.ps1 -ComputerName server1, server2 -Records 30 | Export-Csv -NoTypeInformation -Path d:\tmp\voyager-kerberos_test.csv
15Retrieve 30 logon events from server1 and 30 from server2. Save the results as a CSV file located in the specified path.
17LastModified: 5/30/2012
18#author: Mike F Robbins
20param (
21$ComputerName = $Env:ComputerName,
22$Records = 10
24function Get-LogonTypeName {
26switch ($LogonTypeNumber) {
270 {"System"; break;}
282 {"Interactive"; break;}
293 {"Network"; break;}
304 {"Batch"; break;}
315 {"Service"; break;}
326 {"Proxy"; break;}
337 {"Unlock"; break;}
348 {"NetworkCleartext"; break;}
359 {"NewCredentials"; break;}
3610 {"RemoteInteractive"; break;}
3711 {"CachedInteractive"; break;}
3812 {"CachedRemoteInteractive"; break;}
3913 {"CachedUnlock"; break;}
40default {"Unknown"; break;}
43$ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -FilterXPath "*[System[(EventID=4624)]]" |
44select @{Name='Time';e={$_.TimeCreated.ToString('g')}},
45@{l="Logon Type";e={Get-LogonTypeName $_.Properties[8].Value}},
47@{l='User Name';e={$_.Properties[5].Value}},
48@{l='Client Name';e={$_.Properties[11].Value}},
49@{l='Client Address';e={$_.Properties[18].Value}},
50@{l='Server Name';e={$_.MachineName}}} |
51Sort-Object @{e="Server Name";Descending=$false}, @{e="Time";Descending=$true}

I've trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog.

1.\Verify-Kerberos.ps1 -ComputerName mail, web1, vmhost | ft -auto


By default, most of this information is returned as part of the Message property and it doesn't appear that individual items can be retrieved from it:

1Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]" | fl


The Properties collection allows access to the individual values. Here's how I determined what position the properties I wanted to use were in:

1(Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]").Properties


As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:

1.\Verify-Kerberos.ps1 -Records 1 | ft -auto


To determine what value should be used with the FilterXPath parameter, I searched the event logs for Event ID 4624 and used the information from the XML View tab as shown in the image below: