Powershell 查找创建该帐户的用户的名称 [英] Powershell find the name of a user that created the account
问题描述
我想根据创建的帐户过滤用户名
I would like to filter for a username based on the account that was created
例如 sometext@gmail.com 是用户名
For example sometext@gmail.com is the username
目前我有以下code
Get-WinEvent -FilterHashtable @{logname='security';id=624;data='sometext@gmail.com'}
我正在处理的笔记说创建帐户是事件 ID 624、626
The notes I'm working from say that account creation is Event IDs 624, 626
但是我无法成功返回上述过滤器
However I'm unable to return the above filter successfully
如何过滤与创建的帐户关联的用户名?
How is it possible to filter for a username associated with an account that was created ?
我还尝试了以下显示帐户创建日期但不显示创建它的用户的方法.
I have also tried the following which shows me account creation date but not the user who created it .
Get-EventLog -FilterHashtable | Where-Object { $_.EventID -eq 4720 }:
谢谢
推荐答案
624 是用户帐户已创建"事件的 ID 在 Windows Vista 之前,4720 是 Windows Vista 和更新版本.根据 这篇文章 您应该能够从事件消息中提取创建新帐户的信息:
624 is the ID for the "user account was created" event prior to Windows Vista, 4720 is the ID for the same event in Windows Vista and newer. According to this article you should be able to extract the information who created the new account from the event message:
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
New Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Attributes:
SAM Account Name: Random
Display Name: Random
User Principal Name: Random@AD.TESTLAB.NET
...这样的事情应该可以工作:
Something like this should work:
$upn = 'sometext@gmail.com'
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4720} |
Where-Object { $_.Message -match "user principal name:\s+$upn" } |
Select-Oject -Expand Message |
Select-String '(?<=subject:\s+security id:\s+\S+\s+account name:\s+)\S+' |
Select-Object -Expand Matches |
Select-Object -Expand Value
这篇关于Powershell 查找创建该帐户的用户的名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
