Windows Events with Powershell

Below is a one-liner for getting a list of computers from your domain controller that have fallen off the domain in the last 24 hours. Using my google-foo, I was unable to find a good enough example to make this happen. So here is how I did it. You can change the LogName to any log associated with Event Viewer along with the InstanceID.

Get-EventLog -computername "Your Domain Controller Name" -LogName System -InstanceId 5723,5722,5805 -After (GET-Date).AddDays(-1) |Select-Object  ReplacementStrings -unique| foreach-object{$_.ReplacementStrings.Split(",")| select-object -First 1} | Sort-Object -Unique

If you are unsure as to which portion of data you need from the event logs then try the below command to find out what your options are. fl, short for Format-List, will list all your properties when followed by “-property *”

Get-EventLog -computername "Your Computer Name" -LogName Application -InstanceId 5973 -After (GET-Date).AddDays(-1) | fl -Property *

EventID : 5973
MachineName : Computer.YourDomain.Com
Data : {}
Index : 283088
Category : (5973)
CategoryNumber : 5973
EntryType : Error
Message : Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Source : Microsoft-Windows-Immersive-Shell
ReplacementStrings : {Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI, -2144927149}
InstanceId : 5973
TimeGenerated : 7/13/2020 3:06:05 PM
TimeWritten : 7/13/2020 3:06:05 PM
UserName : Domain\user

Server 2012 RDS Certificate Solution

Everything I had read online pointed to having a Public SAN certificate or using a Self-Signed certificate and pushing it out via group policy. I could not find anything about using an Enterprise CA to delve out a certificate for RDS. This got me thinking about using a SAN certificate internally, but how?

On your Enterprise CA you can run the following commands to allow for SAN Certs
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Next lets open the Certificates Templates Console
Right-Click the Computer certificate and click “Duplicate Template”.


I just called this template RDS-Cert and set the Validity period to 4 Years.

Continue reading

Powershell version of Telnet

Below is a quick way to perform a telnet session on a server that is not allowed to have the telnet client for some reason(compliance).
## Create Socket Object
$Socket=New-ObjectNet.Sockets.TcpClient# Suppress error messages
$ErrorActionPreference=SilentlyContinue# Try to connect

if ($Socket.Connected)
write-host“Port 443 is open”$Socket.Close() ## Destroy the connection
write-host“Port 443 is not open”

Fast – Inactive AD Computers List

One of easiest ways to get a current list of all the inactive Computers in your AD is by using DSQuery. Below you will find two examples of how I use this. You will notice the “-limit 0”. This allows the query to pull back an unlimited amount of computers. At the end I am piping this out to a csv file.

Computer accounts not used in the last 6 months/26 weeks.
dsquery computer -inactive 26 -limit 0 > List_6_months.csv

Computer accounts not used in the last 2 months/8 weeks.
dsquery computer -inactive 8 -limit 0 > List_2_Months.csv

SCCM Console Fix for Administrators

If you receive the following error message when launching the SCCM Console, use the instructions below. You may also see errors in your SMSAdminUI.log file that resemble “The performance counter ‘# result objects in memory’ was not found”.


Go to Control Panel -> Programs and Features. Highlight “Microsoft System Center 2012 Configuration Manager Console” -> click uninstall.
Continue reading

Ping Last User GUI


void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Drawing”)
void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)

## Some Variables To Use

## Main Window Size
$objForm.Text=“Ping Last User”

Continue reading