• Open the Event Viewer and search the security log for event ID 4656 with a task category of “File System” or “Removable Storage” and the string “Accesses: DELETE”. https://www.netwrix.com/how_to_detect_who_deleted_file.html#:~:text=Navigate%20to%20%E2%80%9CReports%E2%80%9D%20%E2%86%92%20Click,%E2%80%9D%20%E2%86%92%20Click%20%E2%80%9CView%E2%80%9D.

  • I had to turn on auditing on some of our server file shares due to either accidental or intentional file/folder deletions & have been experimenting with a couple scripts I found that launches when event id 4663 occurs in the Security log.  Unfortunately, along with some other processes that occur which generated 4663, this event id is also generated whenever a file is renamed & as a result, the log file is capturing a lot of superfluous information.  I have accessible template folder structures on the server which are used to store various files that relate to customer projects.  These templates are copied & then renamed to match whatever the project name is & so hence, each time this occurs, event id 4663 is generated and records each folder / subfolder into the .CSV file I use to import into PostgreSQL.  Is there a particular value within the generated array of values that is specific to only the file / folder being deleted?  It seems that the hex value 0x10000 (65536) array member doesn’t seem to be filtering as anticipated.

  • Hi Mike,

    I love the script. I have a question and i hope this isnt too difficult. I would like it to also spit out the indivitual members of the nested groups.

    i.e.

    If i run

    $selectprops = “ParentGroup”,”NestedGroup”,”NestedGroupMemberCount”

    Get-NestedGroup “Administrators” | Select-Object $selectprops | format-table

    i would like to get ParentGroup, Nested Group, NestedGroupMemberCount, and Nestedgroup members.

    Is this possible?

  • Faiz Qureshi posted an update in the group Group logo of PowerShellPowerShell 4 days, 21 hours ago

    Hello Experts ,
    I am looking for help with a Powershell script which lets me see all the users connected across the Network of servers. Please let me know if there is any such script which I can use or may be tweak a little bit.

    We need a simple report like

    User ID, Session_ID , Local Client_Host_ID, Remote Server_ID_Connected to, brief_descp_Activity performed

    avatar
  • Is there any PowerShell scripts to get the User Usage details (Metrics – Audit log) of the Microsoft Visio and Microsoft Projects or is there any other way to get those details

  • Is there any PowerShell scripts to get the User Usage details (Metrics or audit log) of the Microsoft Visio and Microsoft Projects or is there any other way to get those details

  • Kiran Sharma posted an update in the group Group logo of PowerShellPowerShell 1 week, 5 days ago

    Hi Team, I’m using powershell to download a file from my github and place it in specific location on my laptop and it works fine. However when run the same command on windows Server, it throws an error. Exception calling “DownloadFile” with “2” argument(s): “An exception occurred during a WebClient request.” At line:3 char:1 + $WebClient.DownloadFile(“$Link”,”$env:C:Test_powershellBackupCI.xls … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException any suggestions on this would be highly appreciated

  • Hi,

    Thanks for the script.

    I have followed the instructions,however the extension I m trying to uninstall is still showing but is disabled not removed.

    I am missing somthing ?

  • I’ve used `cat` and `>>` to add the contents of the public key file to administrators_authorized_keys file but the contents were converted on the fly to utf16. The file looked ok in notepad but openssh could not read it. What is worse: there was no error in the logs neither on server side nor in client (`-vvv`). I’ve wasted hours on this! I’ve tried `LogLevel DEBUG` in `sshd_config` but the `__PROGRAMDATA__/ssh/logs` directory is empty.

  • Hello All,

    I’ve written a smile script to download a test file from my github and it works fine on my laptop powershell, however it throws below error when i run the same script on Windows Server 2012. The only thing i noticed is that version of Powershell is different only Laptop and the Server.

    Exception calling “DownloadFile” with “2” argument(s): “An exception occurred during a WebClient request.”
    At line:3 char:1
    + $WebClient.DownloadFile(“$Link”,”$env:C:Test_powershellBackupCI.xls …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    any suggestions/help on this is highly appreciated

  • I’ll take a command line over a GUI any day since it’s batchable. Plus I like the keyboard so anything that keeps me away from the mouse is my preferred platform.

  • Be careful with admitting that you are a GUI lover. This is almost like being an anti royalist these days. 😉

  • Thanks Surender.

    I thought it was a profile issue and tried that earlier- no help.

    I even added Windows PowerShell to the exclusion in defender, no help.

    Its a lab machine where I had my Hyper-v server – I could refresh it but wanted to know the issue in case it affects a production server.

     

  • As per my experince , You mean SyncToy , the Microsoft tool , but for this comment
    “Try copying millions of files, possibly without keeping the same tree structure at the target as at the source, and logging errors (the most frequent being missing NTFS permissions at the source) ” ,
    Gs Richcopy 360 and Syncback are created exactly for such cases.
    Backup/sync GUI tools like Gs Richcopy 360 and Syncback have a nice and simple GUI, able to copy to local drives, remote servers, LANs, WANs, and clouds, able to copy all the permissions types from source to destination, and also able to copy time stamps.
    and as I remember, there are options to throttle the connection speed to prevent bandwidth consumption, a feature to email you after the job is finished, an excellent task scheduler and it will never crash while transferring a large amount of data.
    there are also other differences between such a GUI tools and CLI tools, just try to search

  • You are right Michael 🤣🤣

  • Hello Sarah
    I too recognize that the GUI is very practical and useful … but only in certain cases: Simple and unitary tasks

    For all that is complex tasks – even simple but repetitive – nothing beats the command line and the script.

    you named 3 tools: SyncToy – Gs Richcopy 360 – Syncback
    Try copying millions of files, possibly without keeping the same tree structure at the target as at the source, and logging errors (the most frequent being missing NTFS permissions at the source), I wish you good luck with these tools.

    These 3 tools are undeniably practical for personal use only and limited in volume, not for professional use.

  • > Storing recovering information in Active Directory fails

    As a sidenote, if your environment is still very old (Read 2008 R2 DCs) there are scripts that are required to be run to create the various objects and ACLs for storing the bitlocker keys in AD. Microsoft used to provide these scripts on their articles, but it’s getting harder and harder to find these old vbs scripts that perform these steps. Not that anyone should still be running 2008 R2 nowadays, but it’s worth noting that this will stop keys from backing up.

    The dumbest bitlocker-related error we used to see was “This PC doesn’t support entering a bitlocker recovery password during startup”. Fix is to do an admin cmd prompt and run “Reagentc.exe /enable” then attempt to bitlocker again. Related to that are “The system cannot find the FILE specified” which means “delete C:WindowsSystem32RecoveryReAgent.xml and try to enable bitlocker again” or “The system cannot find the PATH specified” which means “Ensure that a folder called ‘Recovery’ exists in C:WindowsSystem32”

    On some really old HP 810’s we also had to do some weird stuff when trying to update firmware:

    Case: Bitlocker is OFF, and when trying to update the TPM firmware you get prompted for an Owner password. Owner Password is a legacy key that is no longer in use. Trying to clear TPM from within Windows doesn’t work as expected. You can clear the “TPM Owner” before updating TPM firmware as follows:

    Run Command Prompt as Administrator and run the following lines:

    reg add HKLMSOFTWAREPoliciesMicrosoftTPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4

    WMIC /namespace:rootcimv2SecurityMicrosoftTpm Path Win32_Tpm Where __RELPATH=”Win32_Tpm=@” Call SetPhysicalPresenceRequest 14

    Then reboot.

    You may also have to set a bios setting to allow Windows to adjust TPM password before doing these changes.

  • Load More
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account