Use PowerShell to Audit Logon Authentication Type

Want to know what type of authentication mechanism is being used when users log onto your servers? This script pulls the information from the event logs to determine how users are being authenticated. It uses Get-Winevent with the -FilterXPath parameter. That parameter and what the logon type numeric codes translate to are a couple of things that I haven’t seen much documentation on. The script sorts by server name in ascending order and then by the time in descending order.

<#
.SYNOPSIS
Verify-Kerberos
.DESCRIPTION
Verify-Kerberos is used to pull the logon events from the event log of specific servers to determine what type of authentication mechanism is being used. Examples are NTLM and Kerberos.
.PARAMETER ComputerName
Specify remote server names to check. Default: The Local Computer
.PARAMETER Records
Specify the maximum number of events to be retrieved from each computer. Default: 10
.EXAMPLE
.\Verify-Kerberos.ps1 -ComputerName server1 | Format-Table -AutoSize
Retrieve 10 logon events from server1 and display them on the screen in a table.
.EXAMPLE
.\Verify-Kerberos.ps1 -ComputerName server1, server2 -Records 30 | Export-Csv -NoTypeInformation -Path d:\tmp\voyager-kerberos_test.csv
Retrieve 30 logon events from server1 and 30 from server2. Save the results as a CSV file located in the specified path.
.Notes
LastModified: 5/30/2012
Author: Mike F Robbins
#>
param (
$ComputerName = $Env:ComputerName,
$Records = 10
)
function Get-LogonTypeName {
Param($LogonTypeNumber)
switch ($LogonTypeNumber) {
0 {"System"; break;}
2 {"Interactive"; break;}
3 {"Network"; break;}
4 {"Batch"; break;}
5 {"Service"; break;}
6 {"Proxy"; break;}
7 {"Unlock"; break;}
8 {"NetworkCleartext"; break;}
9 {"NewCredentials"; break;}
10 {"RemoteInteractive"; break;}
11 {"CachedInteractive"; break;}
12 {"CachedRemoteInteractive"; break;}
13 {"CachedUnlock"; break;}
default {"Unknown"; break;}
}
}
$ComputerName | ForEach-Object {Get-Winevent -Computer $_ -MaxEvents $Records -FilterXPath "*[System[(EventID=4624)]]" |
select @{Name='Time';e={$_.TimeCreated.ToString('g')}},
@{l="Logon Type";e={Get-LogonTypeName $_.Properties[8].Value}},
@{l='Authentication';e={$_.Properties[10].Value}},
@{l='User Name';e={$_.Properties[5].Value}},
@{l='Client Name';e={$_.Properties[11].Value}},
@{l='Client Address';e={$_.Properties[18].Value}},
@{l='Server Name';e={$_.MachineName}}} |
Sort-Object @{e="Server Name";Descending=$false}, @{e="Time";Descending=$true}

I’ve trimmed part of the time and server name columns off the sides of the image below to make it display properly on this blog. Click on the images to display them completely.

.\Verify-Kerberos.ps1 -ComputerName mail, web1, vmhost | ft -auto

v-kerb1.png

By default, most of this information is returned as part of the “Message” property and it doesn’t appear that individual items can be retrieved from it:

Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]" | fl

v-kerb2.png

The “Properties” collection allows access to the individual values. Here’s how I determined what position the properties I wanted to use were in:

(Get-Winevent -MaxEvents 1 -FilterXPath "*[System[(EventID=4624)]]").Properties

v-kerb3.png

As you can see, the values in the collection shown in the image above line up with what the script retrieves which is shown in the image below:

.\Verify-Kerberos.ps1 -Records 1 | ft -auto

v-kerb4.png

To determine what value should be used with the -FilterXPath parameter, I searched the event logs for Event ID 4624 and used the information from the XML View tab as shown in the image below:

v-kerb5.png

Want a copy of this script? Download it from the Microsoft TechNet Script Repository.

ยต