Thursday, April 5, 2018

FIM / MIM checking PCNS events for a specific user

The following script can be used along with some previous functions that I have written, AD object meta data check, and time functions.  This will look at the user's last password set time and the domain controller that the change was recorded on.  It will take the change time from the AD metadata for that last password reset, and use it to remotely search the domain controller's application log for the PCNS (password change notification service) events that match the user's SamAccountName.  Of course it will need to be run with an account that has remote WMI permissions to the domain controller, which will typically be domain admin unless you made some wmi permissions modifications to the cimv2 portion of the wmi namespace.

param (

                $samaccountname

)



#put some . link here for the time functions and meta data check if its not already in your profile



function get-PCNSEvents-inrange([string]$server,$time,$seconds,$username) {

                $myTimeRange = wmitime-timerange $time $seconds

                $filter = "logfile='application' and timegenerated>='" + $mytimerange[0] + "' and timegenerated <= '" + $mytimerange[1] + "' and sourcename='PCNSSVC'"

                $results = gwmi -computer $server win32_ntlogevent -filter $filter | 
      where {$_.message -match $username} |select -last 1 -exp message

                return $results

}



try {

                $pwdChangeEvent = show-adobjmeta -type user -name $samaccountname | where {$_.attribute -eq "unicodePwd"}

                if ($pwdChangeEvent -eq $null) {Throw "Cannot find user in active directory"}

                $eventtime = dt-toWMITime $pwdChangeEvent.ChangeTime

                $server = $pwdChangeEvent.originator.split(",")[0].replace("CN=","")

                $event = get-PCNSEvents-inrange $server $eventtime 10 $samaccountname

                if ($event -eq $null) {throw "No events found on domain controller around the time of the last password change."}

                $event

} catch { $_}

No comments:

Post a Comment