Categories

Active Directory Logging

I had a problem come up recently where I needed to check the level of logging applied to the AD database. This is configurable via registry settings. See http://support.microsoft.com/kb/314980 for details.

Checking one machine is OK by RDP but when you want to check a set of machines its time to dig out the PowerShell.  While I was at it I decided I might as well create a set of functions that:

  1. Check the log settings
  2. Clear all log settings
  3. Set individual log settings

We are dealing with 24 values in the registry so I need to have those available in a variable. I also need to deal with 5 possible logging levels. I originally thought of using enums (my new shiny toy) but the value names have spaces so that didn’t work.  Plan B is hash tables as shown below

$logtype = DATA {            
ConvertFrom-StringData -StringData @'
 1 = 1 Knowledge Consistency Checker
 2 = 2 Security Events
 3 = 3 ExDS Interface Events
 4 = 4 MAPI Interface Events
 5 = 5 Replication Events
 6 = 6 Garbage Collection
 7 = 7 Internal Configuration
 8 = 8 Directory Access
 9 = 9 Internal Processing
 10 = 10 Performance Counters
 11 = 11 Initialization/Termination
 12 = 12 Service Control
 13 = 13 Name Resolution
 14 = 14 Backup
 15 = 15 Field Engineering
 16 = 16 LDAP Interface Events
 17 = 17 Setup
 18 = 18 Global Catalog
 19 = 19 Inter-site Messaging
 20 = 20 Group Caching
 21 = 21 Linked-Value Replication
 22 = 22 DS RPC Client
 23 = 23 DS RPC Server
 24 = 24 DS Schema
'@            
}            
            
$loglevel = DATA {            
ConvertFrom-StringData -StringData @'
 0 = None
 1 = Minimal
 2 = Basic
 3 = Extensive
 4 = Verbose
 5 = Internal
'@            
}             
            
            
            
## functions            
. $psScriptRoot/Get-LogSetting.ps1            
            
            
Export-ModuleMember -Function * -Variable logtype, loglevel


By default variables don’t export from modules so I need to force that with Export-ModuleMember



The function to get the logging levels is this



function get-logsetting{             
[CmdletBinding(SupportsShouldProcess=$true)]             
param (             
[parameter(Position=0,            
   Mandatory=$true,            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
   [string]$computer             
)             
BEGIN{            
 $HKLM = 2147483650            
}#begin             
            
PROCESS{            
 $reg = [wmiclass]"\\$computer\root\default:StdRegprov"            
            
 $key = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"            
             
 1..$logtype.Count |            
 foreach {            
  $value = $logtype["$_"]            
  $level = $reg.GetDwordValue($HKLM, $key, $value)  ## REG_DWORD            
              
  New-Object -TypeName PSObject -Property @{            
    Name = $value            
    Level = $loglevel["$($level.uValue)"]            
  }            
}            
            
}#process             
END{}#end            
            
}


The computer name comes in as a mandatory parameter. Then we get the WMI class for the registry and set the key. The values are found by looping through the $logtype hashtable. The results are displayed via an object.



I might add the computer name to the object & I need to create some help before publishing as part of the PAM modules

Leave a Reply