0

我启用了审核事件组策略,然后将我的测试帐户添加到 Groupname11。

当我尝试在没有注释掉其他组名的情况下运行它时,我没有从$Events.

我不明白我做错了什么?

$Groups = @(
    #"Groupname8"
    #"Groupname9"
    #"AGroupname10"
    "Groupname11"
    #"Groupname12"
    )
    
    Foreach ($Group in $Groups){
    $Events = Get-WinEvent -FilterHashtable @{logname = 'Security'; ID = 4728; } | Where-Object {$_.Properties.Value -like "*$($Groups)*"}
    }
    $Events
4

1 回答 1

2

您当前正在覆盖 $Events循环的每次迭代。

将分配移出循环,以便捕获所有组的事件$Events

$Groups = @(
    "Groupname8"
    "Groupname9"
    "AGroupname10"
    "Groupname11"
    "Groupname12"
)

$Events = Foreach ($Group in $Groups) {
    Get-WinEvent -FilterHashtable @{logname = 'Security'; ID = 4728; } | Where-Object { $_.Properties.Value -like "*$($Groups)*" }
}

$Events
于 2022-02-24T10:40:55.427 回答