A Look into the Future Using PowerShell

A Look into the Future Using PowerShell

  • Comments 2
  • Likes

 

I was on site (some time ago) reviewing data for an ADRAP (Active Directory Risk Assessment Program).  One of the issues identified was an event log entry.  The eventID is not significant for this discussion, other than I was looking for an event.  The ADRAP tool looks 5 days back by default and I wanted to look for the total number of occurrences on all the domain controllers and not be restricted to 5 days.

I could have easily modified the settings on the ADRAP tool to look further back in time, however I was interested in only a single event ID.  So I broke out eventComb.  I then searched for the event looking many months in the past and to my surprise eventComb did not find a single occurrence of the event I was trying to find.

I had to have done something wrong: typo on the events, wrong date range, or some other user error.  After some head scratching I looked back at the ADRAP tool event and found the event I was looking for occurred 5 months in the FUTURE.  Argh!

My focus changed.  I was now more concerned to find which domain controllers had future events – which would indicate a time shift.  Moving time forward and back or vice versa can be detrimental to say the least to the entire forest.

I could have used eventComb again, but being a novice at PowerShell I decided to try my hand at PowerShell to find events on all domain controllers regardless of the event ID that occurred in the future.

A simple command in powershell can find this for you:

get-eventlog –log system –computer dc1.contoso.com –after 1/5/2012

This is great if you only have 1 DC and only want to look in the system log.  Or have idle time on your hands and can keep running the same command manually for each log on each DC.  Not practical.  So I have polished that command into a script and have it here for you.   It is not domain specific, but only looks in the system, application, and security logs.  I did not choose the NTFRS log because it is not very active and not a likely location to find a future event.  Likewise, I did not include the DNS log because you may not have DNS on all domain controllers.  However, the three event logs should provide a hit if there is a future event.

 

import-module ActiveDirectory
$EVTlogs = "System","Application","Security"
$d2 = Get-Date (get-date).AddDays(2) -uformat %m/%d/%y
$d0 = Get-Date -uformat %m/%d/%y

cls
write-host "This simple script looks for future events on all Domain Controllers in the current domain"
write-host "I set the future to 2 days ahead to ensure that the events recorderd while the script is running"
write-host "do not get flagged as future events"
write-host " "
write-host "If future events are discovered it will display red on yellow" -foregroundcolor red -backgroundcolor yellow
write-host " "
write-host " "


$machine = Get-ADDomainController -Filter { isglobalcatalog -eq $TRUE -or isglobalcatalog -eq $FALSE} | ForEach-Object {

write-host " "
write-host "================================================="
write-host "Reviewing" $_.hostname "System, Application, and Security Event Logs"
write-host "Today's date is $d0"
write-host "Looking for dates $d2 and beyond"
write-host "================================================="

Foreach ($whichLog in $EVTlogs) {

if ($findout = get-eventlog –log $whichlog -computer $_.HostName -after $d2)
{write-host "Future events found in: " $whichlog -foregroundcolor red -backgroundcolor yellow}
else
{write-host "No Future events found in: " $whichlog}}
}

write-host " "
write-host "/\/\/\/\/\/\/\/\"
write-host "Search Complete"

Comments
  • The code looks wrong to me.  Shouldn't (near the end of the script) "if ($findout = get-eventlog -log system ..." be "if ($findout = get-eventlog -log $whichLog ..."??  Cool little job though.

  • Thanks.  I hadn't updated the line with the variable.  I updated the post.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment