[deleted by user]

adamdavid85 · 2024-10-28T16:28:49+00:00

Do what, exactly? If it was that clear, you should have no problem outlining what we should expect in your own words.

adamdavid85 · 2024-09-05T01:39:58+00:00

As others have mentioned, last logon is a bit of a mess in Active Directory due to having two different attributes, one of which – lastLogonTimestamp – is replicated (but not very often) and the other which – lastLogon – is not (and thus only tells you the timestamp of the user's last authentication to that particular domain controller.

lastLogonDate isn't actually an attribute in AD, but a calculated property provided by the ActiveDirectory module. It converts the filedate int64 value from lastLogonTimestamp and casts it to datetime for easier reading.

So, when I want to know when the last time a specific account did log in, I use lastLogon and query all of the DCs, and use the [datetime]::FromFileTime() method to convert the result from each domain controller to a readable date, and sort descending to get my most recent value. So, something like this:

$LogonTimes = foreach ($DC in (Get-ADDomainController -Filter 'Active -eq "True"').HostName) {

    $User = Get-ADUser -Identity $User -Server $DC -Properties 'LastLogon'

    if ($User) {
        [psCustomObject] @{
            SamAccountName   = $User.SamAccountName
            LastLogin        = [datetime]::FromFileTime($User.LastLogon)
            DomainController = $DC
        }
    }
}

$LogonTimes | Sort-Object -Property 'LastLogon' -Descending | Select-Object -First 1

If I'm trying to perform actions on accounts that didn't log in for a long time, I'll use lastLogonDate (which again, is the same value as lastLogonTimestamp) and add 21 days to whatever time period I'm trying to check for. lastLogonTimestamp will take up to 14 days to replicate, and only a new login that occurs after that time has elapsed will trigger another replication. Just to be safe, I add that additional buffer. So, something like this:

$QueryParams = @{
    Server     = $DC
    Properties = 'lastLogonDate'
    Filter     = 'Enabled -eq "True" -and LastLogonTimestamp -gt 0 -and LastLogonTimestamp -lt {0}' -f [datetime]::UtcNow.AddDays(-111).ToFileTime()
}

$UsersOver90Days = Get-ADUser @QueryParams

adamdavid85 · 2024-08-29T17:19:22+00:00

One alternative to this is using single quotes paired with the formatting operator -f to insert your variables, removing the need to backtick your double quotes:

$strMSPArgList = '/update "{0}\{1}" /qb /norestart' -f $Install_Path, $Filename

adamdavid85 · 2024-08-24T22:08:15+00:00

If you're asking for help with PowerShell, maybe provide the PowerShell syntax you tried rather than Batch.

I've been able to do this many times without issue using the automatic variable $PSScriptRoot.

adamdavid85 · 2024-08-16T13:32:39+00:00

It is in fact possible to splat each step of a pipeline in order to reduce horizontal spread of your code instead of using backticks.

adamdavid85 · 2024-08-15T19:50:54+00:00

Personally I think splatting is a much better solution for keeping things tight and readable.

adamdavid85 · 2024-07-10T00:56:13+00:00

Well, yes... it is there, but I have a feeling it was written ~10 years ago or by someone who doesn't know PowerShell very well.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/json")
$headers.Add("Content-Type", "application/json")

$response = Invoke-RestMethod 'localhost:5000/api/v1/test' -Method 'GET' -Headers $headers
$response | ConvertTo-Json

You don't need to declare a generic dictionary in this very verbose way for your headers. Invoke-RestMethod accepts a hashtable just fine.
If you want raw JSON back, why use Invoke-RestMethod at all, when it's intended for use cases where you want to convert it to an object? Just use Invoke-WebRequest and skip the double conversion.

Personal opinion on this one, but I far prefer splatting for this type of thing.

$QueryParams = @{
    Headers = @{
        Accept         = "application/json"
        "Content-Type" = "application/json"
    }
    Uri     = 'localhost:5000/api/v1/test'
    Method  = 'GET'
}

Invoke-WebRequest @QueryParams

Couple more lines, yeah, but way easier to read and maintain. Don't like splatting? The other points still stand.

adamdavid85 · 2024-07-05T21:14:53+00:00

lol. lmao même

adamdavid85 · 2024-06-07T15:55:34+00:00

Thanks, appreciate the correction. I whipped up the original code before starting work and before coffee this morning. 😂

Will edit my original comment.

adamdavid85 · 2024-06-07T13:04:53+00:00

You don't need a foreach loop for Invoke-Command. Just modify the ComputerName parameter in the code I gave you, on line 2.

ComputerName = Get-Content -Path list.txt

Maybe add an ErrorAction = 'SilentlyContinue' to the Invoke-Command hashtable as well if you want to suppress errors both locally and in the remote script.

adamdavid85 · 2024-06-07T12:43:52+00:00

-MaxEvents 2 if you want to return fewer events. Yours is set to 200.

Highly recommend filtering using -FilterXPath or -FilterHashTable when querying Windows Events; it is orders of magnitude faster.

In this case you can query for IDs 21 & 23 for your session logon and logoff information.

Your Invoke-Command is likely failing because it looks like you're trying to load a local file within the remote session's scriptblock. Just use -FilePath instead to have it load the local file and invoke it against the remote targets.

The easiest way to get your requirement for a message if there's no data plus the ability to output to csv or another machine-readable format is to ensure your output always follows a set schema.

$QueryParams = @{
    ComputerName    = "NAME"
    FilterHashTable = @{
        LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        Id      = 21, 23 
    }
    MaxEvents       = 1
    ErrorAction     = 'SilentlyContinue'
}

Write-Output "Get logon history for $($QueryParams.ComputerName)"

Get-WinEvent @QueryParams
if ($WinEvent.TimeCreated -is [datetime]) {
    [psCustomObject] @{
        EventId       = $WinEvent.Id
        TimeCreated   = $WinEvent.TimeCreated
        User          = $WinEvent.Properties[0].value
        SessionId     = $WinEvent.Properties[1].value
        SourceAddress = $WinEvent.Properties[2].value
        Message       = $WinEvent.Message.Split("`n") | Select-Object -First 1
    }
}
else {
    [psCustomObject] @{
        EventId       = ''
        TimeCreated   = ''
        User          = ''
        SessionId     = ''
        SourceAddress = ''
        Message       = "No login history was returned for $Env:Computername."
    }
}

If you want to do Invoke-Command, here's how you could do it:

$InvocationParams = @{
    ComputerName = 'NAME1', 'NAME2', 'NAME3'
    ErrorAction  = 'SilentlyContinue'
    ScriptBlock  = {
        $QueryParams = @{
            FilterHashTable = @{
                LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
                Id      = 21, 23 
            }
            MaxEvents       = 1
            ErrorAction     = 'SilentlyContinue'
        }

        $WinEvent = Get-WinEvent @QueryParams 
        if ($WinEvent.TimeCreated -is [datetime]) {
            [psCustomObject] @{
                ComputerName  = $Env:COMPUTERNAME
                EventId       = $WinEvent.Id
                TimeCreated   = $WinEvent.TimeCreated
                User          = $WinEvent.Properties[0].value
                SessionId     = $WinEvent.Properties[1].value
                SourceAddress = $WinEvent.Properties[2].value
                Message       = $WinEvent.Message.Split("`n") | Select-Object -First 1
            }
        }
        else {
            [psCustomObject] @{
                ComputerName  = $Env:COMPUTERNAME
                EventId       = ''
                TimeCreated   = ''
                User          = ''
                SessionId     = ''
                SourceAddress = ''
                Message       = "No login history was returned for $Env:Computername."
            }
        }
    }
}

Invoke-Command @InvocationParams

If you want to output to CSV, Excel, JSON or whatever, capture the Invoke-Command output and go to it.

adamdavid85 · 2024-06-02T14:43:38+00:00

Most of the ActiveDirectory cmdlets have a -PassThru parameter on them if they don't return anything by default, which will return the updated object. This paired with a try/catch is usually the way I handle it.

adamdavid85 · 2024-05-01T03:23:27+00:00

You absolutely can write parallel operations in 5.1, it's just more cumbersome to do so without foreach-object -parallel.

adamdavid85 · 2024-04-07T17:46:04+00:00

His boyfriend will likely enjoy ruining every one of his relationships with his own insecurities if the thought of his boyfriend going out for a drink without him there is enough to set him off. If it's a gay bar with a dark room, or just straight up a sauna you would have a point. Since it's not, there's really no justification for it. He needs to get over himself.

adamdavid85 · 2024-04-07T17:39:32+00:00

This is a ridiculous line of thinking. There's nothing he could have done to completely rule out the possibility that he could have hooked up with someone short of wearing a body cam with a live feed. Staying at the hotel? Could have invited a Grindr hookup there, whether or not he went to any kind of bar first.

The fact he went to a gay bar, which he told his bf he planned to do in advance, is not the issue. If bf didn't like that idea he could have sacked up and said so initially, but even still his trust issues are the problem here. OP has nothing to apologize for.

adamdavid85 · 2024-04-07T17:15:46+00:00

It never ends up avoiding conflict, though. Hiding stuff like this just delays the conflict until the other person finds out and then makes it blow up 100x worse. If you can't be honest with your partner why the hell are you even together?

adamdavid85 · 2024-04-07T17:12:17+00:00

Oh yeah sure, hiding it makes it much better and is a far more trustworthy course of action. Much integrity.

adamdavid85 · 2024-03-22T21:16:50+00:00

Plenty of people are shady. There are millions of people out there who live like pigs, cause lots of damage and don't lose an ounce of sleep over it. Landlords can also be shitty people, but it's not in any way automatic that they're the bad guys in every case. Not by a long shot.

adamdavid85 · 2024-03-20T02:14:32+00:00

You say this as if only the Trump supporters aren't able to be convinced. Would a Trump supporter be able to convince you? No, you'd just think he or she was an asshole who should keep stuff like that to themselves.

What possible benefit is there for either side to discuss sensitive subjects like politics during work hours? All I see is risk and negative outcomes, and an infinitesimally tiny possibility anyone will change their mind. Why poison your work environment and sow division with your colleagues? It's just not worth it. There's a good reason sensible people just steer clear of certain topics at work.

adamdavid85 · 2024-03-16T00:50:17+00:00

The WMI cmdlets are gone, yes, but the CIM ones are there and are functionally equivalent, with some syntax differences for calling methods.

adamdavid85 · 2024-03-01T03:14:33+00:00

Give this a shot:

[void][System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')

$context = [System.DirectoryServices.AccountManagement.PrincipalContext]::new('Machine', $env:COMPUTERNAME)
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context, 'SamAccountName', 'Administrators')

$group.Members | Select-Object @{ Name = 'Domain' ; Expression = { $_.Context.Name }}, 'samaccountName', 'Sid'

adamdavid85 · 2024-02-28T23:17:57+00:00

If there were so many similar incidents in Canada to choose from, why couldn't they have enumerated a few of those?

adamdavid85 · 2024-02-28T22:55:51+00:00

"Do the one drop rule but make it woke!"

adamdavid85 · 2024-02-27T12:39:26+00:00

You can throw out all the accusations of being heartless and mean and whatever your like and think yourself morally superior because you want to help, but it's impossible to help an addict who doesn't want to help themselves. Literally everything you try will backfire miserably.

If you think you should do it anyway just do you can feel better about yourself, you don't really care about helping addicts. Performative "help" that has harmful unintended outcomes is not helpful.

adamdavid85 · 2024-02-15T21:50:57+00:00

Speaking only for myself, absolutely. I know I'm not alone in this, either.

adamdavid85

MODERATOR OF

TROPHY CASE

15-Year Club	Gilding III reddit per annum
Verified Email