$comp = gc "server_list.txt"
$path = "c:\temp\logs"
foreach ($entry in $comp) {
$fullname = $path + "\" + $entry + ".txt"
Get-EventLog -LogName security -ComputerName $entry | Where-Object {$_.eventID -eq '4733'} | format-table -wrap -property Message >> $fullname
}
Then next script is used to parse these logs:
$comp = gc "c:\temp\nonEmpty.txt"
$path = "c:\temp\logs\nonEmpty"
foreach ($entry in $comp) {
$fullname = $path + "\" + $entry + ".txt"
$sid = gc $fullname | Select-String "Member:" -context 0,1 | % {$_.Context.PostContext}
$sidonly = foreach ($s in $sid) {
$s.remove(0,24)
}
$sid_tmp = $path + "\" + $entry + "_tmp.txt"
$sidonly | sort | get-unique | out-file -filepath $sid_tmp
$sid_path = $path + "\" + $entry + "_sid.ps1"
gc $sid_tmp | foreach {$_.TrimEnd()} | foreach {"([System.Security.Principal.SecurityIdentifier](""" + $_ +""")).Translate([System.Security.Principal.NTAccount]).Value"} | set-content $sid_path
}
As the output of this script there is a list of ps1 files created. When You lunch such file the output give You a list of user\group which was removed from local administrators group on specific server
