Report for - Create / Delete / Modify Organizational Units
PrzemyslawKlys opened this issue · 2 comments
PrzemyslawKlys commented
Needs work:
ADOrganizationalUnitChangesDetailed = [ordered] @{
Enabled = $false
Events = @{
Enabled = $true
Events = 5136, 5137, 5139, 5141
LogName = 'Security'
Filter = @{
'ObjectClass' = 'organizationalUnit'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
<#
Fields = [ordered] @{
'Computer' = 'Domain Controller'
'Action' = 'Action'
'OperationType' = 'Action Detail'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'Computer Object'
'AttributeLDAPDisplayName' = 'Field Changed'
'AttributeValue' = 'Field Value'
# Common Fields
'RecordID' = 'Record ID'
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
#>
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{}
}
}PrzemyslawKlys commented
Will be added in 2.0.10
PrzemyslawKlys commented
This is the final definition that covers Create/Delete/Modify/Move.
ADOrganizationalUnitChangesDetailed = [ordered] @{
Enabled = $true
OUEventsModify = @{
Enabled = $true
Events = 5136, 5137, 5139, 5141
LogName = 'Security'
Filter = @{
'ObjectClass' = 'organizationalUnit'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'Computer' = 'Domain Controller'
'Action' = 'Action'
'OperationType' = 'Action Detail'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'Organizational Unit'
'AttributeLDAPDisplayName' = 'Field Changed'
'AttributeValue' = 'Field Value'
#'OldObjectDN' = 'OldObjectDN'
#'NewObjectDN' = 'NewObjectDN'
# Common Fields
'RecordID' = 'Record ID'
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
Overwrite = @{
'Action Detail#1' = 'Action', 'A directory service object was created.', 'Organizational Unit Created'
'Action Detail#2' = 'Action', 'A directory service object was deleted.', 'Organizational Unit Deleted'
'Action Detail#3' = 'Action', 'A directory service object was moved.', 'Organizational Unit Moved'
#'Organizational Unit' = 'Action', 'A directory service object was moved.', 'OldObjectDN'
#'Field Changed' = 'Action', 'A directory service object was moved.', ''
#'Field Value' = 'Action', 'A directory service object was moved.', 'NewObjectDN'
}
# This Overwrite works in a way where you can swap one value with another value from another field within same Event
# It's useful if you have an event that already has some fields used but empty and you wnat to utilize them
# for some content
OverwriteByField = @{
'Organizational Unit' = 'Action', 'A directory service object was moved.', 'OldObjectDN'
#'Field Changed' = 'Action', 'A directory service object was moved.', ''
'Field Value' = 'Action', 'A directory service object was moved.', 'NewObjectDN'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{}
}
}