INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Find/Replace?

Find/Replace?

(OP)
Hi guys,

I'm using the following that i've cobbled together for helpdesk to get info on account lockouts... what I'm not too sure about is that when it outputs a specific servername (as 'Client Name'), i.e. OURISASERVER - I want it to replace that field with "Mobile Device"... I'm just not too sure how to do that in the following, can someone help at all?

(I've converted this to .exe with ps2exe so the password in it shouldn't be a problem as they can't see the code)

$Admin = "admindomain\adminaccount"
$Password = convertto-securestring "adminpwd" -asplaintext -force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $Admin, $Password
$user = Read-Host "Please enter User Name to look for?"
Write-Host "Searching, Please Wait..." -foregroundcolor "green"
Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Write-Host
Write-Host "Complete!" -foregroundcolor "green"
Write-Host
Write-Host Press Any Key to Quit... -foregroundcolor "Yellow"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

RE: Find/Replace?

Woolers,
I'm not sure I understand what you're wanting to do. Can you provide an output example?

However, from what I think I understand, I believe you need to store the results in a variable, then work with that.

Something like this:

CODE

$events = <your event-gathering code>
foreach ($event in $events)
{
 <look for the value you want to change and then change it>
} 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Find/Replace?

(OP)
Hi Blister,

So this script grabs events from locked out user accounts & outputs the format as follows:

TimeCreated User Name Client Name
----------- --------- -----------
26/02/2016 07:51:05 lockeduser LockedOutMachine
26/02/2016 07:04:48 lockeduser LockedOutMachine
26/02/2016 06:10:05 lockeduser LockedOutMachine

The problem is that I would like to do a find/replace on the output of this line:

Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
Effectively if the output, as above is "LockedoutMachine" (which is a specific server) I want to replace it with "Mobile Device" for instance...

Hope that helps a little more..
Thank you.

RE: Find/Replace?

Does this work for you?

CODE -->

$change_name = "LockedOutMachine"
$new_name = "Mobile Device"

$events = Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

$events | ft
} 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Find/Replace?

(OP)
Hi Blister,

That certainly looks like it will work! As soon as I come across a user that has been locked out via our ISA box I'll give it a try!

Many thanks for pointing me in the right direction!

smile

RE: Find/Replace?

(OP)
Hi Blister,

Just FYI, this seems to be working fine, however it's outputting twice now.... with the original machine, then the replaced name..

So the output looks like this

TimeCreated User Name Client Name
----------- --------- -----------
26/02/2016 07:51:05 lockeduser LockedOutMachine
26/02/2016 07:04:48 lockeduser LockedOutMachine
26/02/2016 06:10:05 lockeduser LockedOutMachine
26/02/2016 07:51:05 lockeduser Mobile Device
26/02/2016 07:04:48 lockeduser Mobile Device
26/02/2016 06:10:05 lockeduser Mobile Device

Don't suppose you have any idea at all?

RE: Find/Replace?

What does your code look like?

You should have replaced:

CODE -->

Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}} 

with

CODE -->

$change_name = "LockedOutMachine"
$new_name = "Mobile Device"

$events = Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCDomainController | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

$events | ft
} 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Find/Replace?

(OP)
Hi blister!

Totally forgot about this until now! - Yes I'm afraid it still seems to be showing duplicates... I'm clearly not good with powershell!
Here's the code::

CODE --> Powershell

$change_name = "SERVER1"
$change_name2 = "SERVER2"
$change_name3 = "SERVER3"
$new_name = "O365 - Mobile Device/iPad/Android"
$new_name3 = "Mobile Device/iPad/Android"
$Admin = "domain\admin"
$Password = convertto-securestring "adminpwd" -asplaintext -force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $Admin, $Password
$user = Read-Host "Please enter User Name to look for?"
Write-Host "Searching, Please Wait..." -foregroundcolor "green"
$events =  Get-WinEvent -Credential $cred -Logname 'Security' `
-FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$User']]" `
-ComputerName PDCEMULATOR | `
Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}
foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}

$events | ft
} 
Write-Host 
Write-Host "Complete!" -foregroundcolor "green"
Write-Host 
Write-Host Press Any Key to Quit... -foregroundcolor "Yellow"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 

Kind Regards
Woolers

RE: Find/Replace?

This looks like it could be my mistake in the code I provided, earlier.

Try changing this:

CODE -->

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}

$events | ft
} 

To this:

CODE -->

foreach ($event in $events)
{
 if ($event."Client Name" -eq $change_name)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name2)
	{$event."Client Name" = $new_name}

 if ($event."Client Name" -eq $change_name3)
	{$event."Client Name" = $new_name3}
}
$events | ft 

Also, a switch statement may be better for you depending on the number of devices. You wouldn't have to go through all the if statements, then:

CODE -->

foreach ($event in $events)
{
 switch($event."Client Name")
	{
	 {($_ -eq $change_name) -OR ($_ -eq $change_name2)}
		{$event."Client Name" = $new_name; break}
	 {$_ -eq $change_name3}
		{$event."Client Name" = $new_name3; break}
	}
}
$events | ft 


Light travels faster than sound. That's why some people appear bright until you hear them speak.

RE: Find/Replace?

(OP)
Blister911

You Sir, are brilliant!! - it's now working like a charm.. I used the switch code in it & boom!

Thank you very much indeed!!
:)

Woolers

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close