I'm struggling with the below code. I'm trying to get a security eventlog via powershell into an array and selecting only the values I'm interested in. In the next step I want to loop through this array and write those values in a human readable log. Everything is coming together nicely except translating an SID to an Account Name within the loop.
This is what I'm doing:
$eventID = 4732
$log = @( Get-EventLog -LogName security -InstanceId $eventID | Select-Object -Property EventID,EntryType,TimeGenerated,
@{n="AccountName";e = {$_.replacementstrings[1]}},
@{n="GroupName";e = {$_.replacementstrings[2]}},
@{n="AdminName";e = {$_.replacementstrings[6]}}
@{n="DomainName";e = {$_.replacementstrings[3]}}
)
After this I want to translate the SID which I get from the eventlog to an actual accountname. I'm doing this by looping through all the entries and send them to the output.
$log | ForEach-Object {
((New-Object System.Security.Principal.SecurityIdentifier ($_.AccountName)).Translate( [System.Security.Principal.NTAccount])).Value
}
Output I'm getting is the actual verified account name, which tells me the code works. Except it also gives me the following error:
New-Object : A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.Sec
urityIdentifier.
At line:3 char:3
+ ((New-Object System.Security.Principal.SecurityIdentifier ($_.Account ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
The weirdest part is when I call the code outside of the loop, it works:
((New-Object System.Security.Principal.SecurityIdentifier ($log.AccountName[0])).Translate( [System.Security.Principal.NTAccount])).Value
But as I won't know how many entries the array will have I need it to work within a loop. Am I doing something wrong?
I know there are probably more ways to do this, but I just want to comprehend what and why it's happening. Thanks to anyone who can help.
Your @()
is useless but this does not cause the error, Get-EventLog
will retrieve results into an array already.
You have forgot a coma at the end of the line @{n="AdminName";e = {$_.replacementstrings[6]}}
$eventID = 4732
$log = Get-EventLog -LogName security -InstanceId $eventID | Select-Object -Property EventID,EntryType,TimeGenerated,
@{n="AccountName";e = {$_.replacementstrings[1]}},
@{n="GroupName";e = {$_.replacementstrings[2]}},
@{n="AdminName";e = {$_.replacementstrings[6]}},
@{n="DomainName";e = {$_.replacementstrings[3]}}
$log | ForEach-Object {
((New-Object System.Security.Principal.SecurityIdentifier($_.AccountName)).Translate([System.Security.Principal.NTAccount])).Value
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.