远程访问 DC 安全事件完整数据
Remote Access to DC Security Event Full Data
问题 - 仅从安全事件日志中获取部分数据。
我正在使用 Powershell 从 2019 域控制器中提取安全事件。该代码在服务器上运行良好,我可以看到所有数据(前提是 Powershell 运行提升)。远程用户已添加到 AD“内置”文件夹安全组“事件日志阅读器”。我远程获取了事件的部分数据。即事件的 Event->Properties->SyncRoot 部分远程为空。加上错误
Method invocation failed because [Deserialized.System.Diagnostics.Eventing.Reader.EventLogRecord] does not contain a method named 'ToXml'.
So how do i enabled a specific remote user to get full access?
下面的代码,谢谢
# On local server use the -Computername and -Credential are not used
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$using:account`']]"}
foreach ($event in $events)
{
# Convert the event to XML
$eventXML = [xml]$event.ToXml() # error when used remotely
您遇到的错误与权限无关,但与 Invoke-Command deserializing 您的对象有关。
However, the deserialized object is not a live object. It is a snapshot of the object at the time that it was serialized, and it includes properties but no methods.
避免这种情况的一种方法是将日志转换为远程主机中的 XML:
$events = Invoke-Command -ComputerName $dc -Credential $cred -ScriptBlock {
$logs = Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$using:account`']]"
$logs.ForEach({$_.ToXml()})
}
foreach($event in $events)
{
[xml]$event
}
类似的事情发生在乔布斯身上:
$log = Get-WinEvent -LogName Application -MaxEvents 1
$log.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False EventLogRecord System.Diagnostics.Eventing.Reader.EventRecord
$log = Start-Job {Get-WinEvent -LogName Application -MaxEvents 1} |
Receive-Job -Wait -AutoRemoveJob
$log.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True PSObject System.Object
$log.ToXml()
Method invocation failed because [Deserialized.System.Diagnostics.Eventing.Reader.EventLogRecord] does not contain a method named 'ToXml'.
...
...
问题 - 仅从安全事件日志中获取部分数据。
我正在使用 Powershell 从 2019 域控制器中提取安全事件。该代码在服务器上运行良好,我可以看到所有数据(前提是 Powershell 运行提升)。远程用户已添加到 AD“内置”文件夹安全组“事件日志阅读器”。我远程获取了事件的部分数据。即事件的 Event->Properties->SyncRoot 部分远程为空。加上错误
Method invocation failed because [Deserialized.System.Diagnostics.Eventing.Reader.EventLogRecord] does not contain a method named 'ToXml'.
So how do i enabled a specific remote user to get full access?
下面的代码,谢谢
# On local server use the -Computername and -Credential are not used
$events = Invoke-Command -ComputerName $dc -Credential $cred -scriptblock {Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$using:account`']]"}
foreach ($event in $events)
{
# Convert the event to XML
$eventXML = [xml]$event.ToXml() # error when used remotely
您遇到的错误与权限无关,但与 Invoke-Command deserializing 您的对象有关。
However, the deserialized object is not a live object. It is a snapshot of the object at the time that it was serialized, and it includes properties but no methods.
避免这种情况的一种方法是将日志转换为远程主机中的 XML:
$events = Invoke-Command -ComputerName $dc -Credential $cred -ScriptBlock {
$logs = Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']=`'$using:account`']]"
$logs.ForEach({$_.ToXml()})
}
foreach($event in $events)
{
[xml]$event
}
类似的事情发生在乔布斯身上:
$log = Get-WinEvent -LogName Application -MaxEvents 1
$log.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False EventLogRecord System.Diagnostics.Eventing.Reader.EventRecord
$log = Start-Job {Get-WinEvent -LogName Application -MaxEvents 1} |
Receive-Job -Wait -AutoRemoveJob
$log.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True PSObject System.Object
$log.ToXml()
Method invocation failed because [Deserialized.System.Diagnostics.Eventing.Reader.EventLogRecord] does not contain a method named 'ToXml'.
...
...