I wish to modify the script below to:
- Attach the Result HTML file that is written to Desktop folder, then send the email.
- Delete/clean up the HTML file after successful email sent.
The script below basically gets all the Event ID 4625 in the past 1 hour from all domain controllers.
$DCServers = Get-ADDomainController -filter * | select -ExpandProperty hostname
$events = @()
$totalCt = 0
$servers = @()
$hashLogonType = @{
2 = "Interactive"
3 = "Network"
4 = "Batch (eg. Scheduled Task)"
5 = "Service"
7 = "Unlock (eg. Workstation Screen saver)"
8 = "NetworkCleartext (eg. IIS Basic Auth.)"
9 = "NewCredentials"
10 = "Remote Desktop"
11 = "Logon With Cached Credentials"
}
Foreach ($Server in $DCServers)
{
Write-Host "Calling Get-WinEvent for $Server"
$serverEvents = Get-WinEvent -ComputerName $Server -FilterHashtable @{ logname = 'Security'; id = 4625; StartTime = (Get-Date).AddHours(-1) } -EA 0
if (!$?)
{
Write-Host "Get-WinEVent failure for $Server"
continue
}
if ($null -ne $serverEvents)
{
$totalCt += $serverEvents.Count
$servers += [PsCustomObject] @{ $server = $serverEvents.Count }
Write-Host $server $serverEvents.Count
}
$serverEvents | ForEach-Object {
$events += [PsCustomObject] @{
Date = $_.TimeCreated
"Event Id" = $_.Id
"User Name" = $_.Properties[6].Value + "\" + $_.Properties[5].Value ## fixed
"WorkstationName" = $_.Properties.Value[13]
"IPAddress" = $_.Properties.Value[19]
"FailureReason" = (($_.message -split "\n") | Select-String -Pattern "Failure Reason:\s+(.+)").matches[0].groups[1].value
"Status Code" = $_.message -split '\s{4}' | Select-String -Pattern "Status"
"Logon Type" = $hashLogonType.$([int]$_.Properties[10].Value)
}
}
}
$HTML = @"
<style>
body {
font-family: Arial;
}
table {
width: 100%;
border-collapse: collapse;
border: 1px solid;
}
th {
background-color: green;
border: 1px solid;
padding: 1px;
}
td {
border: 1px solid;
padding: 1px;
}
</style>
"@
$GetDate = Get-Date -Format 'F'
$Report = "[Environment]::GetFolderPath("Desktop")\temp-4625.html"
Invoke-Item $Report
#convert the array of events to HTML
$Events | Select-Object Date, "User Name", "WorkstationName", "IPAddress", "Logon Type" |
Convertto-html -head $HTML -PreContent "<H2>Accounts that Failed to Log On</H2>", "<H2>$GetDate </H2>", "<br> FailureReason = $((($_.message -split "\n") | Select-String -Pattern "Failure Reason:\s+(.+)").matches[0].groups[1].value)<br>", "<br> Status Code = $($_.message -split '\s{4}' | Select-String -Pattern "Status")<br>"
-PostContent "<p></p>Total Event ID 4625 records: <b><u>$totalCt</u></b> <p></p>" | Out-File $Report -append
Write-Host "Total Event ID 4625 records: $totalCt"
Write-Host "Event ID 4625 records per server:"
$servers | Format-Table -autosize
Write-Host "4625 records grouped by user"
$events | Group-Object "User Name" | Sort-Object Count | Out-GridView -Title "4625 records grouped by user"
Write-Host "4625 records grouped by IP Address"
$events | Group-Object "IPAddress" | Sort-Object Count | Out-GridView -Title "4625 records grouped by IP Address"
Write-Host "4625 records grouped by WorkstationName"
$events | Group-Object "WorkstationName" | Sort-Object Count | Out-GridView -Title "4625 records grouped by WorkstationName"
$sendMailArgs = @{
From = "$env:COMPUTERNAME@$env:userdnsdomain"
To = 'IT@corp.com'
Subject = "Event ID 4625 Result as at $(Get-Date -Format 'F')"
SmtpServer = 'smtp.domain.com'
BodyAsHtml = $true
}
$sendMailArgs['Body'] = "<H3>Total Event ID 4625 records: $($totalCt)</H3>"
Send-MailMessage @sendMailArgs -Priority High -Verbose -Attachments $Report
However, the error is like below:
Send-MailMessage : Cannot find a provider with the name '[Environment]'.
At line:103 char:1
+ Send-MailMessage @sendMailArgs -Priority High -Verbose -Attachments $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ([Environment]:String) [Send-MailMessage], ProviderNotFoundException
+ FullyQualifiedErrorId : ProviderNotFound,Microsoft.PowerShell.Commands.SendMailMessage
and there is no email sent out. How can I debug this?
