Get-GphGpProcessLog.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
function Get-GphGpProcessLog
{
  <#
      .SYNOPSIS
      Lists all available Acitivity-IDs then returns the according events.
 
      .DESCRIPTION
      This function lists all the Activity-IDs of all GPO-Processings found in the event-log.
      The Activity-ID is a unique ID for every GPO-Processing-run. After chosing the ID you want to investigate,
      the Cmdlet returns all the Events which were generated during the corresponding processing.
 
      .EXAMPLE
      Get-GPProcessLog -ComputerName Server1
      Returns all activity IDs found in the Group Policy Eventlog of Server1 and then returns all according events.
 
      .NOTES
      Author: Holger Voges
      Date: 2018-11-16
      Version: 1.0
  #>


  [cmdletbinding()]
  param(  
    # Returns only one Processing run by asking the CorrelationID
    [Switch]$SingleProcessRun
  )

  $LoginEventIds = @{
    4000 = 'Computer Boot'
    4001 = 'User Logon'
    4002 = 'Computer Network Change'
    4003 = 'User Network Change'
    4004 = 'Computer Manual Update'
    4005 = 'User Manual Update'
    4006 = 'Computer Backup Refresh'
    4007 = 'User Background Refresh'
  }

  $LoginEvent = @{ name='LoginEvent'; expression={ $LoginEventIds.($_.ID) }}

  If ( $SingleProcessRun )
  {
    [Array]$ActivityID = Get-WinEvent -FilterHashtable @{Logname="Microsoft-Windows-GroupPolicy/Operational";ID=4000,4001,4002,4003,4004,4005,4006,4007 } |
      Select-Object -Property TimeCreated,ActivityID,$LoginEvent |  
      Out-GridView -PassThru # | Sort-Object -Property TimeCreated
    Foreach ( $Activity in $ActivityID )
    {
      $GUID = '{' + $Activity.ActivityId.Guid + '}'
      Get-WinEvent -Logname "Microsoft-Windows-GroupPolicy/Operational" -FilterXPath "*/System/Correlation[@ActivityID='$GUID']" 
    }
  }
  Else
  {
    Get-WinEvent -Logname "Microsoft-Windows-GroupPolicy/Operational"
  }

}