• Carsten

    The scripts are 404. :-(

    • Will fix soon, for now change the directory to /scriptz/ and it should work. NGINX config is new to me.

      Thanks for pointing it out.

  • Carsten

    I’m looking for “File server permissions change auditing” script.

    • The part that parses the event logs is here: https://robbiecrash.me/scriptz/ParseEventLogs.ps1
      To clean them up after parsing use this: https://robbiecrash.me/scriptz/CleanOldLogs.ps1

      Hope that helps!

      • Carsten

        Global variables used in functions are evil.

        For write the log SDDL is usefull (it’s short), for reading the log as human it’s not.
        http://poshcode.org/3921 – ConvertFrom-SDDL

        I prefer to identify admins through well known sid.

        • Fair comment about local/global variables; I’m not super worried about using a global log file for a short script though.

          For parsing the SDDL stuff I use the script you linked to, but since that’s outside of the scope of the scripts, and I didn’t do anything with it, it’s not here. I’ve updated the source post here though to point to it.

          Using a SID was more effort than it’s worth in this case, as the event logs use the SAM name to identify who’s made the changes. Converting that account name to SID should be easy with Get-ADUser thrown into the mix.

          Anyhow, hope this saved you some effort!

          • Carsten

            jepp, thanks for the script.

            Do u use an extra script to find something in the logfile?

          • Sorry I didn’t see this before. I’m not sure what you mean? The first script finds the events that I’m looking for in archived log files, but you can easily rewrite it to use the active logs; just change line 69 to use -listlog application|security|setup instead of -path $_