问题不在于这个脚本是否完美,但问题在于它还适用于“管理员”和“访客”帐户,这是我不想要的。所以我创建了一个if else语句,但它不起作用,也许有人看到我做错了很快?
脚本是什么?当某人被锁定在AD中时,它会创建一个包含信息(主机名,域名,用户名)的HTML邮件。
这是剧本:
$DC = "DC1"
$Report= "c:\powershell\html.html"
$Name1 = "Administrator", "Guest"
$log2 = "C:\powershell\temp.log"
$HTML=@"
<title>Account locked out Report</title>
<style>
BODY{background-color :#FFFFF}
TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow}
TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent}
H2{color: #457dcf;font-family: Arial, Helvetica, sans-serif;font-size: medium; margin-left: 40px;
</style>
"@
$Account_Name = @{n='Account name';e={$_.ReplacementStrings[-1]}}
$Account_domain = @{n='Account Domain';e={$_.ReplacementStrings[-2]}}
$Caller_Computer_Name = @{n='Caller Computer Name';e={$_.ReplacementStrings[-1]}}
$event= Get-EventLog -LogName Security -ComputerName $DC -InstanceId 4740 -Newest 1 |
Select TimeGenerated,ReplacementStrings,"Account name","Account Domain","Caller Computer Name" |
% {
New-Object PSObject -Property @{
"Account name" = $_.ReplacementStrings[-7]
"Account Domain" = $_.ReplacementStrings[5]
"Caller Computer Name" = $_.ReplacementStrings[1]
Date = $_.TimeGenerated
}
}
$event | ConvertTo-Html -Property "Account name","Account Domain","Caller Computer Name",Date -head $HTML -body "<H2> User is locked in the Active Directory</H2>"|
Out-File $Report -Append
Get-EventLog -LogName Security -ComputerName DC1 -InstanceId 4740 -Newest 1 | Format-List >> $log2
If ((Get-Content $log2 ) -contains $Name1 )
{
#Don't do shit
}
Else
{
$MailBody= Get-Content $Report
$MailSubject= "User Account locked out"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.smtp.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "mailadress@mailadress.com"
$MailMessage.To.add("mailadress@mailadress.com")
$MailMessage.Subject = $MailSubject
$MailMessage.IsBodyHtml = 1
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)
}
Remove-Item c:\powershell\html.html
Remove-Item C:\Powershell\temp.log
答案 0 :(得分:0)
你可以在这里使用正则表达式。像这样的东西:
$exclude="administrator|guest"
if (Select-String -path $log2 -Pattern $exclude -Quiet ){
#do nothing
}
答案 1 :(得分:0)
一些事情:
InstanceID不一定(必然)与EventId -contains仅对集合进行精确匹配,不要将其与String.Contains() 使用Get-EventLog从日志中获取事件,然后从Get-WinEvent -FilterXPath属性中的替换字符串中获取帐户名,帐户域和来电计算机名称,而不是Properties。 ,像这样:
$DC = "DC1"
$EventId = 4740
# The first, second and sixth string corresponds to Account, Caller and Domain, respectively
$StringIndices = 0,1,5
$Account,$Caller,$Domain = ForEach-Object -InputObject $StringIndices -Begin {
$EventStrings = Get-WinEvent -LogName Security -MaxEvents 1 -ComputerName $DC -FilterXPath "*[System[EventID=$EventID]]" | Select-Object -ExpandProperty Properties
} -Process {
$EventStrings[$_].Value
}
$Domain = $Domain.TrimStart('\')
现在你可以做到:
if(("Administrator","Guest") -contains $Account){
# Don't do anything
} else {
# Yes, it's a regular user, let's send some mail!
}
答案 2 :(得分:0)
我要改变
If ((Get-Content $log2 ) -contains $Name1 )
到
$to_b_chkd = Get-Content $log2
If ($to_b_chkd -contains $Name1)
{
dont do anything}
else
{
do some stuff}
也可以添加
write-host $to_b_chkd
确保正确设置以满足条件