param (
$samaccountname
)
#put some . link here for the time functions and meta data check if its not already in your profile
function get-PCNSEvents-inrange([string]$server,$time,$seconds,$username) {
$myTimeRange = wmitime-timerange $time $seconds
$filter = "logfile='application' and timegenerated>='" + $mytimerange[0] + "' and timegenerated <= '" + $mytimerange[1] + "' and sourcename='PCNSSVC'"
$results = gwmi -computer $server win32_ntlogevent -filter $filter |
where {$_.message -match $username} |select -last 1 -exp message
return $results
}
try {
$pwdChangeEvent = show-adobjmeta -type user -name $samaccountname | where {$_.attribute -eq "unicodePwd"}
if ($pwdChangeEvent -eq $null) {Throw "Cannot find user in active directory"}
$eventtime = dt-toWMITime $pwdChangeEvent.ChangeTime
$server = $pwdChangeEvent.originator.split(",")[0].replace("CN=","")
$event = get-PCNSEvents-inrange $server $eventtime 10 $samaccountname
if ($event -eq $null) {throw "No events found on domain controller around the time of the last password change."}
$event
} catch { $_}
Thursday, April 5, 2018
FIM / MIM checking PCNS events for a specific user
The following script can be used along with some previous functions that I have written, AD object meta data check, and time functions. This will look at the user's last password set time and the domain controller that the change was recorded on. It will take the change time from the AD metadata for that last password reset, and use it to remotely search the domain controller's application log for the PCNS (password change notification service) events that match the user's SamAccountName. Of course it will need to be run with an account that has remote WMI permissions to the domain controller, which will typically be domain admin unless you made some wmi permissions modifications to the cimv2 portion of the wmi namespace.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment