时间戳

首页 > 解决方案 > powershell system.object 数组到字符串

powershell - powershell system.object 数组到字符串

问题描述

我正在使用以下代码提取登录尝试失败的用户的 IP 地址(在代码开头提供)。该代码有效,但是当我使用 GetType() 变量 $ipp 时,它返回为 Name is Object[] Base Type is System.Array 我需要这个变量是一个字符串(我正在寻找 IP文本文件并在找到时将其删除)。

$ipp = Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625;StartTime=$hours} | 
    Where-Object {$_.Properties[5].Value -like "*$userName*"} | 
    Select-Object -First 1 {$_.Properties[19].value}

我正在使用 PowerShell 5

谢谢凯文

标签: powershell

解决方案

预警:这可能是您最好的选择,以获取来自错误尝试/锁定事件的每一位信息的完整数组。您可以轻松地将每个对象分配给一个变量,查看最后一行我在检查锁定帐户时使用的一些属性名称。

我最近在工作中做了很多此类事情,并遇到了一个不错的 Microsoft 演示。我厚颜无耻地偷了他们的剧本,作品就像一个魅力。

我希望您正在连接到域控制器,但看起来该事件 ID 是针对客户端计算机上的错误尝试,而不是 DC。

对其进行了一些更改,以便您可以在定义 $userName 并留下 Microsoft 评论后将其插入。只需查看第 87/88 行,因为如果您的 DC 遇到错误,您可能需要完成该操作。

# Set up the lockout report
$report = @()

# Pick the DCs to crawl
$DCs = Get-ADDomainController -Filter * |
    Select-Object HostName, IPv4Address, Site, OperatingSystem, OperationMasterRoles |
    Out-Gridview -Title "Select the DCs to query" -PassThru |
    Select-Object -ExpandProperty HostName

# Find the lockout stats for that user on all selected DCs
ForEach ($DC in $DCs) {
    $report += Get-ADUser $userName -Server $DC -ErrorAction Continue `
        -Properties cn, LockedOut, pwdLastSet, badPwdCount, badPasswordTime, lastLogon, lastLogoff, lastLogonTimeStamp, whenCreated, whenChanged | `
        Select-Object *, @{name='DC';expression={$DC}} 
}

$DCs = $report |
    Select-Object `
        DC, `
        cn, `
        LockedOut, `
        pwdLastSet, `
        @{name='pwdLastSetConverted';expression={[datetime]::fromFileTime($_.pwdlastset)}}, `
        badPwdCount,
        badPasswordTime, `
        @{name='badPasswordTimeConverted';expression={[datetime]::fromFileTime($_.badPasswordTime)}}, `
        lastLogon, `
        @{name='lastLogonConverted';expression={[datetime]::fromFileTime($_.lastLogon)}}, `
        lastLogoff, `
        @{name='lastLogoffConverted';expression={[datetime]::fromFileTime($_.lastLogoff)}}, `
        lastLogonTimeStamp, `
        @{name='lastLogonTimestampConverted';expression={[datetime]::fromFileTime($_.lastLogonTimestamp)}}, `
        whenCreated, `
        whenChanged |
    Out-GridView -Title "Select the DC to query event logs for lockouts" -PassThru

# Filter generated using Event Viewer GUI Custom View
# Logon/Lockout events in the last 24 hours
[xml]$xmlFilter = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=529 or EventID=644 or EventID=675 or EventID=676 or EventID=681 or EventID=4740 or EventID=4771) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>
  </Query>
</QueryList>
"@


$Events = @()
ForEach ($DC in $DCs) {

    "Getting events from $($DC.DC)"

    # Must enable the firewall rule for remote EventLog management - CHECK WITH YOUR IT TEAM, THIS MAY BREACH YOUR COMPANY SECURITY POLICY
    # Invoke-Command -ComputerName $DC.DC -ScriptBlock {Get-NetFirewallRule -Name *eventlog* | Where-Object {$_.Enabled -eq 'False'} | Enable-NetFirewallRule -Verbose}

    ### Filter for the userID in the event message properties
    $Events += Get-WinEvent -ComputerName $DC.DC -FilterXML $xmlFilter
}

ForEach ($Event in $Events) {
    # Convert the event to XML
    $eventXML = [xml]$Event.ToXml()
    # Iterate through each one of the XML message properties
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
        # Append these as object properties
        Add-Member -InputObject $Event -MemberType NoteProperty -Force `
            -Name  $eventXML.Event.EventData.Data[$i].name `
            -Value $eventXML.Event.EventData.Data[$i].'#text'
    }
}

# View the lockout details
$Events | Where-Object {$_.TargetUserName -eq $userName} | Select-Object TargetUserName, IPAddress, MachineName, TimeCreated | Out-GridView

推荐阅读