PowerShell for Windows Admins

Sep 3 2011   5:18AM GMT

Active Directory Logging



Posted by: Richard Siddaway
Tags:
Active Directory
WMI

I had a problem come up recently where I needed to check the level of logging applied to the AD database. This is configurable via registry settings. See http://support.microsoft.com/kb/314980 for details.

Checking one machine is OK by RDP but when you want to check a set of machines its time to dig out the PowerShell.  While I was at it I decided I might as well create a set of functions that:

  1. Check the log settings
  2. Clear all log settings
  3. Set individual log settings

We are dealing with 24 values in the registry so I need to have those available in a variable. I also need to deal with 5 possible logging levels. I originally thought of using enums (my new shiny toy) but the value names have spaces so that didn’t work.  Plan B is hash tables as shown below

$logtype = DATA {            
ConvertFrom-StringData -StringData @'
 1 = 1 Knowledge Consistency Checker
 2 = 2 Security Events
 3 = 3 ExDS Interface Events
 4 = 4 MAPI Interface Events
 5 = 5 Replication Events
 6 = 6 Garbage Collection
 7 = 7 Internal Configuration
 8 = 8 Directory Access
 9 = 9 Internal Processing
 10 = 10 Performance Counters
 11 = 11 Initialization/Termination
 12 = 12 Service Control
 13 = 13 Name Resolution
 14 = 14 Backup
 15 = 15 Field Engineering
 16 = 16 LDAP Interface Events
 17 = 17 Setup
 18 = 18 Global Catalog
 19 = 19 Inter-site Messaging
 20 = 20 Group Caching
 21 = 21 Linked-Value Replication
 22 = 22 DS RPC Client
 23 = 23 DS RPC Server
 24 = 24 DS Schema
'@            
}            
            
$loglevel = DATA {            
ConvertFrom-StringData -StringData @'
 0 = None
 1 = Minimal
 2 = Basic
 3 = Extensive
 4 = Verbose
 5 = Internal
'@            
}             
            
            
            
## functions            
. $psScriptRoot/Get-LogSetting.ps1            
            
            
Export-ModuleMember -Function * -Variable logtype, loglevel

By default variables don’t export from modules so I need to force that with Export-ModuleMember

The function to get the logging levels is this

function get-logsetting{             
[CmdletBinding(SupportsShouldProcess=$true)]             
param (             
[parameter(Position=0,            
   Mandatory=$true,            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
   [string]$computer             
)             
BEGIN{            
 $HKLM = 2147483650            
}#begin             
            
PROCESS{            
 $reg = [wmiclass]"\\$computer\root\default:StdRegprov"            
            
 $key = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"            
             
 1..$logtype.Count |            
 foreach {            
  $value = $logtype["$_"]            
  $level = $reg.GetDwordValue($HKLM, $key, $value)  ## REG_DWORD            
              
  New-Object -TypeName PSObject -Property @{            
    Name = $value            
    Level = $loglevel["$($level.uValue)"]            
  }            
}            
            
}#process             
END{}#end            
            
}

The computer name comes in as a mandatory parameter. Then we get the WMI class for the registry and set the key. The values are found by looping through the $logtype hashtable. The results are displayed via an object.

I might add the computer name to the object & I need to create some help before publishing as part of the PAM modules

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: