I need a logon database for all AD users. In order to retrofit this to past logons I am using the EventLog query in powershell. My query works:
Get-EventLog -ComputerName $endpoint System -Source Microsoft-Windows-Winlogon | select machinename,timegenerated,replacementstrings | export-csv c:\test.csv
ReplacementStrings returns an array of {1,SID}. I am using this SID as a lookup attribute to another table. I have looked online and tried to play around with expanding the property but no luck so far. As you can see I want to export this all to a csv with each event as a seperate row containing: machinename, timegenerated, and then SID (which is what I need out of replacement strings). I have also looked into using .Split[1] but cannot get that to work because I am also requesting two other objects in the same query. Thanks in advance everyone- this one has me stumped.
I am not familiar with the structure of that data but a simple test on my own machine returns the same results. Looking at the data type it appears to just be a string array which is why splitting it was not working. You can tell is how it is displayed on the console with {1, SID}. Instead we use a calculated property to extract the second value from the replacementstrings.
Get-EventLog -ComputerName $endpoint System -Source Microsoft-Windows-Winlogon |
Select-Object machinename,timegenerated,@{Label="SID";Expression={$_.replacementstrings[1]}} |
Export-Csv c:\test.csv