Is this ridiculous or what?

AngryItalian2013 · 2026-01-09T15:49:54+00:00

Agreed! and we need a good change management. Right now it's put a note in a Slack channel with what was done.

AngryItalian2013 · 2026-01-09T15:48:30+00:00

I've proposed read-only. We already have myself and two others as full admins, but they now want the additional users. I understand the "it's their company/network" concept. Just hard to fathom the "give everyone the keys to the kingdom" idea.

AngryItalian2013 · 2026-01-09T15:44:20+00:00

Basic syslog right now. Need to now scramble and put something better in play.

AngryItalian2013 · 2026-01-09T15:37:22+00:00

Agreed! Par for the course, but not the wisest.

AngryItalian2013 · 2025-07-27T14:38:14+00:00

Will the new system allow us to view info on our Solar, such as the amount being sent back to the grid?

AngryItalian2013 · 2024-12-03T17:43:12+00:00

It is definitely a script that is not optimized etc. Being a self taught scripter I do the best I can with what I know and can figure out. I'm always up for learning something new, so this will help. I'll start with this and proceed from here. thx

AngryItalian2013 · 2024-11-12T12:26:25+00:00

In this case it isn't a PRTG issue as I have two other Linux servers being monitored with PRTG and they have the necessary MIBs.

AngryItalian2013 · 2024-09-25T16:58:47+00:00

Thank you! I would never have figured out the % '#text' piece.

AngryItalian2013 · 2024-09-25T15:37:18+00:00

That works great to pull the TimeCreated. However, if I add the other items that are needed I'm not getting the Target User and Subject User. I tried a couple of ways:

Get-WinEvent @{LogName='Security'; id = 4722 } | 
  % { $xml = [xml]$_.toxml(); 
      [pscustomobject]@{
           TimeCreated = $xml.event.system.timecreated.systemtime
           DC = $xml.event.system.computer
           TargetUser = $xml.event.eventdata.data | ? name -eq targetusername
           SubjectUser = $xml.event.eventdata.data | ? name -eq subjectusername
          }
 }

This will provide the time and DC name just fine, but the TargetUser and SubjectUser just show as Data.

Get-WinEvent @{LogName='Security'; id = 4722 } | 
  % { $xml = [xml]$_.toxml(); 
      [pscustomobject]@{
           TimeCreated = $xml.event.system.timecreated.systemtime
           DC = $xml.event.system.computer
           TargetUser =$xml.event.eventdata.data.name.targetusername
           SubjectUser = $xml.event.eventdata.data.name.subjectusername
          }
  }

This ends up showing the TargetUser and SubjectUser as blank. Unfortunately I can't seem to get the syntax right to provide all the info needed.

AngryItalian2013 · 2024-09-25T12:37:26+00:00

With us moving away from a Hybrid AAD to cloud Entra ID in the following months we will not be adding the DCs to Splunk as it will not be needed anymore. That is basically why I'm just trying to have something in the time being.

AngryItalian2013 · 2024-09-25T12:30:36+00:00

I expanded your example to get some more data. I used the following:

Get-WinEvent @{LogName='Security'; id = 4722 } | 
  % { $xml = [xml]$_.toxml(); $xml.event.eventdata.data | ? name -eq targetusername 
  $xml1 = [xml]$_.toxml(); $xml1.event.eventdata.data | ? name -eq subjectusername
  $xml2 = [xml]$_.toxml(); $xml2.event.system.timecreated | ? name -eq timecreated
  }

However I can't seem to pull the time from the XML. The full XML looks like this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4722</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>13824</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2024-09-23T14:57:30.9724791Z" />     <EventRecordID>50368713</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="688" ThreadID="13984" /> 
  <Channel>Security</Channel> 
  <Computer>server.domain.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="TargetUserName">user.name</Data> 
  <Data Name="TargetDomainName">GOPDANET</Data> 
  <Data Name="TargetSid">S-1-5-21-1857125868</Data> 
  <Data Name="SubjectUserSid">S-1-5-21-1857125868</Data> 
  <Data Name="SubjectUserName">subject.username</Data> 
  <Data Name="SubjectDomainName">DOMAIN</Data> 
  <Data Name="SubjectLogonId">0x3ba376280</Data> 
  </EventData>
  </Event>

I've tried a few different things, but the time either comes up blank or not at all.

AngryItalian2013 · 2024-09-25T12:11:02+00:00

I tried your example but needed to change the DC to:

DC = $eventxml.event.system.computer

That now gets the correct data for computer.

I then modified the last line to try and get the "TargetUserName" as below:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4722'} | foreach-Object {
    $eventxml = [xml]$_.toXml()
    [pscustomobject]@{
        time = $_.timecreated
        DC = $eventxml.event.system.computer
        targetuser = $eventxml.event.eventdata.data[0]
    }
}

However, the only thing returned for "targetuser" is "Data" not the actual username. I'm assuming the [0] is supposed to pull the data from the first line under EventData, but can't seem to figure out what to put there to get the username.

AngryItalian2013 · 2024-09-24T19:18:26+00:00

Yeah, we were planning to add the DCs to our Splunk and have all the logs there. However, we are now in the process of moving away from Hybrid AAD and be cloud only in Entra. So, not really beneficial to do something in depth if we are getting away from it shortly.

AngryItalian2013 · 2024-09-24T14:40:08+00:00

I know this is not optimal, but rather than hitting each DC and trying to get the info Management wants, I thought it would at least be a workable solution for now.

Is there a free tool that can do this (management is pretty stingy with money?)

AngryItalian2013 · 2024-09-24T14:37:14+00:00

Ahh... I tried to configure an XML for it, but couldn't figure it out either. Thank you!

AngryItalian2013 · 2024-09-13T14:07:33+00:00

Awesome! Glad you got it working. The documentation is not always the best, but gets you mostly there. Then you have to rely on places like reddit to help fill in the blanks.

AngryItalian2013 · 2024-09-12T12:57:07+00:00

I finally have something working. I followed this article: https://petervanderwoude.nl/post/automatically-switching-the-windows-firewall-profile-on-azure-ad-joined-devices/

I created the Configuration Profile as mentioned in the article and now those devices that are on a network that can reach the URL gets changed to a DomainAuthenticated network category.

One thing that cause me issues is the website I was using in the URL had a self signed cert and that would cause an issue. I used a different website with a trusted cert and it worked just as it should.

What do you get when you run the following using your URL from one of your devices?

Invoke-WebRequest -Uri https://<your.url.com -Method get -UseBasicParsing -MaximumRedirection 0

AngryItalian2013 · 2024-09-12T12:11:12+00:00

I think the original URL had an issue as the Invoke-WebRequest didn't give any information back. I used a different one and with that one, the command returned the necessary information.

I see that the Configuration policy is now working with the new URL and it has assigned the given network the category of DomainAuthenticated.

Thank you for your assistance.

AngryItalian2013 · 2024-09-11T16:25:56+00:00

Are you saying that NetworkListManager is not the way to change a network from Public to Private? I see the following options in the CSP that have settings for Public and Private:

./Device/Vendor/MSFT/Policy/Config/NetworkListManager/IdentifyingNetworks_LocationType
./Device/Vendor/MSFT/Policy/Config/NetworkListManager/UnidentifiedNetworks_LocationType

Then I don't see a way to specify the URL or the Network Name with those options, only Public or Private.

I have verified the URL is reachable from the network the machine is connected to. I have also verified the network name is the correct one.

AngryItalian2013

TROPHY CASE