Get-GphGpProcessLog.ps1
|
function Get-GphGpProcessLog { <# .SYNOPSIS Lists all available Acitivity-IDs then returns the according events. .DESCRIPTION This function lists all the Activity-IDs of all GPO-Processings found in the event-log. The Activity-ID is a unique ID for every GPO-Processing-run. After chosing the ID you want to investigate, the Cmdlet returns all the Events which were generated during the corresponding processing. .EXAMPLE Get-GPProcessLog -ComputerName Server1 Returns all activity IDs found in the Group Policy Eventlog of Server1 and then returns all according events. .NOTES Author: Holger Voges Date: 2018-11-16 Version: 1.0 #> [cmdletbinding()] param( # Returns only one Processing run by asking the CorrelationID [Switch]$SingleProcessRun ) $LoginEventIds = @{ 4000 = 'Computer Boot' 4001 = 'User Logon' 4002 = 'Computer Network Change' 4003 = 'User Network Change' 4004 = 'Computer Manual Update' 4005 = 'User Manual Update' 4006 = 'Computer Backup Refresh' 4007 = 'User Background Refresh' } $LoginEvent = @{ name='LoginEvent'; expression={ $LoginEventIds.($_.ID) }} If ( $SingleProcessRun ) { [Array]$ActivityID = Get-WinEvent -FilterHashtable @{Logname="Microsoft-Windows-GroupPolicy/Operational";ID=4000,4001,4002,4003,4004,4005,4006,4007 } | Select-Object -Property TimeCreated,ActivityID,$LoginEvent | Out-GridView -PassThru # | Sort-Object -Property TimeCreated Foreach ( $Activity in $ActivityID ) { $GUID = '{' + $Activity.ActivityId.Guid + '}' Get-WinEvent -Logname "Microsoft-Windows-GroupPolicy/Operational" -FilterXPath "*/System/Correlation[@ActivityID='$GUID']" } } Else { Get-WinEvent -Logname "Microsoft-Windows-GroupPolicy/Operational" } } |