I would like to pull Security events from two Domain Controllers remotely to audit use of an account and to provide guidance for account lockouts. Locally on the DC my Powershell works fine provided Powershell is run with Elevated privileges. Remotely having added the account used to the AD "Builtin" folders security group "Event log readers", i can access events other than Security events remotely. However a line like below does not work for Security Events. Zero events are returned.
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$account`']]"}
Tips appreciated how i get past the need for elevated privileges remotely ?
you can use the paramters ComputerName and Credential with the Cmdlet Get-WinEvent and query the events like this:
$events = Get-WinEvent -ComputerName $dc -Credential $cred -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$account`']]"
or - if you stick to Invoke-Command you have to use $using:account instead of $account within the ScriptBlock (like @Mathias said in the comment) to send that local variable to the remote host
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$using:account`']]"}