Burwell.tech

Assistance at your fingertips...

PWSH: Get-Latest-WinEvent-Prompted-DCs

This is a VERY useful script that prompts for RWDC or RODCs, prompt to specify EventIDs or just get the last event on each DC, and refactored with Microsoft CoPilot 4 for locations where WinRM is disabled, using Invoke-Command (Enter-PSSession)

#****************************************************************
# Script Name : Get-Latest-WinEvent-Prompted-DCs.ps1
# Purpose     : Check Latest Event log for selected Domain Controllers using WinRM (Invoke-Command)
# Author      : Patrick Burwell, www.Burwell.tech
# Updated for : PowerShell Core (PWSH)
# Refactored  : RPC-free version using Invoke-Command by CoPilot 4
#****************************************************************

# Test Repo
Get-PSRepository

# Import Modules
Import-Module Microsoft.PowerShell.Diagnostics -Scope Global -Verbose

# Ensure working directory
Set-Location -Path "D:\PowerShell"

# Prompt for DC type
$ChoiceQuestion = Read-Host -Prompt "Run against RWDCs or all DCs (includes RODCs)? Enter 'R' for RWDCs"
if ($ChoiceQuestion -ieq "R") {
    $DCChoice = "RWDCs"
    $DCList = (Get-ADDomainController -Filter {IsReadOnly -eq $false } | Select-Object -ExpandProperty Name)
} else {
    $DCChoice = "AllDCs"
    Write-Host "You have chosen all the Domain Controllers"
    $DCList = (Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name)
}

# Prompt for event type
$LastEventPrompt = Read-Host -Prompt "Get the last event? (Y/N)"
$GetLastEvent = $LastEventPrompt -ieq "Y"

# Optional: Prompt for specific event IDs if not getting last event
if (-not $GetLastEvent) {
    $EventPrompt = Read-Host -Prompt "Enter comma-separated Event IDs to search (e.g., 1000,5802...6005)"
    $EventIDs = $EventPrompt -split ',' | ForEach-Object { $_.Trim() }
}

# Prepare output file
$day = Get-Date -Format 'yyyyMMdd'
$OutputFile = "D:\PowerShell\reports\$day-WinEvents-$DCChoice-Results.csv"

# Process each DC
foreach ($DC in $DCList) {
    $events = @()

    if ($GetLastEvent) {
        try {
            $events = Invoke-Command -ComputerName $DC -ScriptBlock {
                Get-WinEvent -LogName 'System' -MaxEvents 1
            } -ErrorAction Stop
        } catch {
            Write-Warning "Error getting events from $DC $_"
            continue
        }
    } else {
        foreach ($id in $EventIDs) {
            try {
                $event = Invoke-Command -ComputerName $DC -ScriptBlock {
                    param($eid)
                    Get-WinEvent -LogName 'System' -FilterHashtable @{ ID = [int]$eid } -MaxEvents 1
                } -ArgumentList $id -ErrorAction Stop
                if ($event) { $events += $event }
            } catch {
                Write-Warning "Error getting event ID $id from $DC $_"
                continue
            }
        }
    }

    foreach ($event in $events) {
        $properties = @{
            Computer    = $DC
            EventID     = $event.Id
            TimeCreated = $event.TimeCreated
            Message     = $event.Message
        }

        Write-Host "$($properties.Computer), $($properties.TimeCreated), $($properties.EventID)"
        [PSCustomObject]$properties | Select-Object Computer, EventID, TimeCreated, Message |
            Export-Csv -Path $OutputFile -Append -NoTypeInformation
    }
}

Posted

in

, , ,

by

PatrickBurwell

Tags:

, , , , , ,