search

EvotecIT / PSWinReporting

This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
MIT License
701 stars 69 forks source link

Group Membership Membername is only last name #35

Closed domischlegel closed 5 years ago

domischlegel commented 5 years ago

In the section of group membership changes, the "Member Name" only shows the last name and a \ (most likely because it wasnt escaped properly?)

PrzemyslawKlys commented 5 years ago

That's possible. I don't really expect "special chars" in Member Name field. If it was Who column it's a bit different because WHO column is actually 2 fields merged together where I add \ explicitly between DOMAIN\User the trick is it's sometimes not written correctly to Event Log.

Can you do:

get-events -RecordID <recordid> -LogName 'Security' -Machine 'AD...'

And check all the fields and potentially let me know the results of it?

domischlegel commented 5 years ago

Hey

Thanks for your reply.

Its the field "Account Name" in the "Member" section. That field contains the DN of the user and seems to be like this: CN=lastname\, firstname, OU=OU1,OU=OU2,DC=domain,DC=com.

In the HTML Report it only shows "lastname\".

Regards

PrzemyslawKlys commented 5 years ago

So you're saying you have members in AD that have , in a name? That's first time I see this :-)

domischlegel commented 5 years ago

Good point but yes, the full name gets autogenerated and theres a , in between (sorry I forgot about that...)

PrzemyslawKlys commented 5 years ago 
Update-Module PSEventViewer

Let me know if that fixes your issue

domischlegel commented 5 years ago

Hey, sorry to bring the bad (and late) news, but this hasnt fixed it for me.

I successfully tested it with this regex: ^CN=|\\,|,(OU|DC|CN).*$

Regards

PrzemyslawKlys commented 5 years ago

just so we're on the same page your name is exactly with \ and , in the name?

domischlegel commented 5 years ago

in AD its like this: First Name: firstname Last name: lastname Displayname: lastname, firstname

and then the DN (which seems to be used in the event viewer but also appears like this in the AD attributes): CN=lastname\, firstname, OU=OU1,OU=OU2,DC=domain,DC=com

PrzemyslawKlys commented 5 years ago

Right, this indeed works but not sure if it's the proper way. 


$MemberName = @(
    'CN=Weird\, Name\, with   ,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name\, with $\,.,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Mailbox Database 1527735546,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Evotec,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=evotec,DC=xyz'
    'CN=Test My\, User,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
)
Write-Color '- MyVersion' -Color Green
foreach ($Member in $MemberName) {

    $Member -replace '^CN=|,(OU|DC|CN).*$'
}
Write-Color '- NewVersion' -Color Red
foreach ($Member in $MemberName) {

    $Member -replace 'CN=|\\,|,(OU|DC|CN).*$'
}

Output:

- MyVersion
Weird\, Name\, with
Weird Name\, with $\,.
Weird Name
Weird Name
Weird Name
Mailbox Database 1527735546
Test My\, User
- NewVersion
Weird Name with
Weird Name with $.
Weird Name
Weird Name
Weird Name
Mailbox Database 1527735546
Test My User

Your approach actually gets rid of any characters giving clean output but it also removes integral part of the name, which in your case is comma.

PrzemyslawKlys commented 5 years ago

I think it should be:

$MemberName = @(
    'CN=Weird\, Name\, with   ,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name\, with $\,.,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Mailbox Database 1527735546,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Evotec,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=evotec,DC=xyz'
    'CN=Test My\, User,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
)

Write-Color '- Members' -Color Yellow
foreach ($Member in $MemberName) {

    $Member
}

Write-Color '- MyVersion' -Color Green
foreach ($Member in $MemberName) {

    $Member -replace '^CN=|,(OU|DC|CN).*$'
}
Write-Color '- NewVersion' -Color Red
foreach ($Member in $MemberName) {

    $Member -replace 'CN=|\\,|,(OU|DC|CN).*$'
}

Write-Color '- Final version?' -Color Blue
foreach ($Member in $MemberName) {

    $Member -replace 'CN=|\\|,(OU|DC|CN).*$'
}

The last one leaves your comma in place just removing extra characters.

PrzemyslawKlys commented 5 years ago 
Install-Module PSEventViewer -Force

Published new version. Should fix it.