June 2011 Archives

First rule.  DO NOT Take a Snapshot in your Production environment.  Avoid it at all costs whether it’s VMware or Hyper-V.  It’s a massive risk to the data if corruption occurs.

Now if you IGNORED this rule or you HAD to do something that INSISTED on this happening, don’t sweat it.

The problem is sometimes we (as humans) make mistakes.  The snapshot gets taken *and* get’s forgotten about.  So you have to Merge it.

Normally in Hyper-V if you do a shutdown of the Virtual Machine, the environment WILL automatically start merging.  This is the norm.  

But factors can affect this.  Space, Murphy and the Unknown are the uncontrollable factors we Professionals have to deal with.  However it’s good to know there is a fallback.  You can do it manually.


Yes, manually.   Now no matter how much data you have, no matter how long it takes… BACK IT UP FIRST!!!

I say this because you always (no matter your skillset, no matter what you think SHOULD happen) you have to plan for the UNexpected.  Power outage, corrupt files on the server, the Host dying during the process.  Fortunately in my experience Hyper-V is well designed for the unexpected.

Let’s also think about just what an AVHD file is.   It is closer to a list of transactions than a virtual hard drive.   So when Hyper-V goes to merge the data, it is examining the transactions and building the drive structure to commit it.  If you lose power, you still shouldn’t lose data.

But if you need to do a manual merge (Perhaps you would like to rebuild those files offline to avoid issues?) this is also a simple process. (Although scary the first time you try it!)

Rename all the “AVHD” files to VHD

Go to Hyper-V and choose “EDIT DISK”.  Browse to the folder of the files.

Find the NEWEST file (That was an AVHD and is now a VHD) and select it.

You MAY get an option to “Reconnect to Parent”.  This can be normal if you have MULTIPLE Avhd files.   Take note of the ORIGINAL filename and connect to that file in your current folder (if you read the screen Hyper-V is actually prompting you).  The AVHD’s refer to the original VHD (if they are the first Snapshot *or* they will refer to the PREVIOUS Avhd file.

If you get a Reconnect, the choose the proper file and back to EDIT and REselect the Newest file again.   You will now be presented with “Compact” or “Merge” as your options.  Choose “Merge”

Let the file Merge (Depending on the size it could take a bit, don’t worry and don’t panic)

Repeat the process going back a file and back a file until you only have you VHD

If you’re concerned about the content afterwards and don’t want to chance a boot, Remember in Server 2008R2 and Server 2008 in DiskMgmt you can attach the VHD in Readonly mode to verify the content.

Now in my case my Hyper-V files are well organized.  You may find out yours are still in the default location like C:\ProgramData\Microsoft\Hyper-V .  But one of the nice things about the AVHD files (Snapshots) is they mimic the name of the VHD file.  so if your Parent VHD was called


you’ll find the AVHD files will have names like.


If you have to go digging, you usually don’t.

Also some more details I found out.

600 gigabytes on a Strong Raid 5 controller over SAN is about 6 hours to Merge.  I found similar numbers when working directly from Raid 5 Sata drives.

It will Merge One AVHD file at a time.  this is Good to know because if you’re watching you WILL actually see the AVHD files disappear, Newest to oldest.   (As the Newest is Merged INTO it’s predecessor)

It does NOT build a “NEW” Vhd file, so disk space (As far as I can tell) is NOT an issue unless the parent is meant to “Grow” in the process.   But between the Parent and the Removed child, you should be ok…

So just remember.   Don’t panic if you have a massive amount to Merge.  It will happen.  If you’re nervous, copy the files ELSEWHERE and begin doing a Manual merge of the backups in Hyper-V.  The good part there is you can mount it all afterwards to verify the status.

…. Most of all just be cautious, but be confident.  It will all work out.

Here’s an easy “Don’t panic!” situation.

You’ve got a VHD file.  You’ve adjusted it to allow more space in the “Edit Disk”.   When you go into Server 2008 / 2008R2 and Extend the free space in DiskMgmt you get some confusion.

The DiskMgmt utility shows the Correct number but the File system shows the old number.  Rebooting does fix it either!

So… before you go running to the Datacenter cursing the gods, try this.

Odds are, the server was a high usage thing with Big files (Like Exchange or SQL etc etc)

Before you reboot, make sure anything that can cause it to “Get busy” is switched to Manual (Sql Instance, Exchange Datastore) and reboot.  Do this in the safest manner of course.

Down the server again and adjust the space a bit larger (Any amount, 1 gb or 20 gb) and then power the machine up again.  

Now that the computer is running in a say “Less frantic” state try re-extending the partition.  Odds are it’ll work this time. 

I ran into this and I’m presuming it’s a case of the Partition table was updated but the File Allocation wasn’t.   I’m not sure on the DEEP details but here’s what worked for me

Maybe it’ll help you out.

”The Energized Tech”

So you think you know how to make an Advanced Function.  I thought I did.   Then I started messing about with HANDLE.EXE from Sysinternals and was REALLY getting into automating that baby with Pipelines and whatnot.

It was all working so beautifully UNTIL….

That’s right “Until…” Until I accidentally ended closing ALL the files in the entire O/S with a typo (well most of them!)

It was then I decided that until I got it so you could pass a –whatif properly, I wasn’t sharing my new toy with the world as it would have been a dangerous release indeed.   There is a VERY important reason Mr. Russinovich did NOT release a utility that in ONE LINE would have closed everything on a server.

But thanks to Powershell, we can pull out his Safety net, automate it and bring in a New one.

the Trick with Using the –whatif is enabling “CmdletBinding” in the Advanced Function and Marking “SupportsShouldProcess” as $TRUE

Something like this

Function global:Close-Openfile()

This of course is just the top of a function called “Close-OpenFile” that has the “CmdletBinding” enabled with SupportsShouldProcess.

With this on it’s very simple to use the “-whatif” parameter.  You need only add in a simple line like this in your Process block

if ( $PSCmdlet.ShouldProcess(‘Jibberish’) ) { BlockofCodeToExecuteIfNO-Whatif }

It messed me up the first time.   The $PSCmdlet.ShouldProcess() method returns a Boolean $TRUE if “whatif” is NOT in use.  If it *IS* then it returns a Boolean $FALSE and outputs a statement similar to this where ‘Jibberish’ is replaced with WHATEVER you want in there that makes sense

What if: Performing operation "Close-Openfile" on Target "Jibberish".

Neat eh?   First time I did it, I got the code backwards and closed everything.   But there you go. 

“-whatif” is EASY to implement and the GREATEST feature of Windows Powershell, A live failsafe !

Special Thanks to Kirk “Poshoholic” Munro and Shay Levy for the help in educating me.  An especially big thanks to James Brundage for being a soundboard for other things Smile

The Power of Shell is in all of us. RELEASE IT!

the Energized Tech

Had to deal with a Blackout in a Datacenter.  It got turned into a song

Original tune “What About Now” by “Daughtry”

"What about the Power?"

Staring at an empty door
Locked within the night
Feet pound madly at the floor
Take away the fright

Heat is building up inside
Screaming Banshee fans

Beeping Daemons call the while
Auditory stab
Not Simulated or a trial
This is not a lab

Use your iDracs and RDP
To protect the LANs from
System outage


What about the Power?
What about A/C?
I am so enraged you see
Maglocks are engaged from me

What about the Power?
Why now here and me?
What if I don't have the time
To bring it all back online?

I am resigned to this fate
"..What about the power..."

No more BES and no more mail
Servers quiet down
My mind shouts out a pleading wail
Thoughts flow to a frown

Will my cluster live again
will it return to me
when Juice is flowing?


What about the Power?
What about A/C?
I am so enraged you see
Maglocks are engaged from me

What about the Power?
Why now here and me?
What if I don't have the time
To bring it all back online?

I am resigned to this fate

Here is the Power
Flash in the Night
Catalyst Live
the Switches
Glowing Breathe
Now my vision is clear
Now it's not so BOR-ING
Begin to start RE-STOR-ING

Why'd we the lose the Power?
Can't see why you see
That it would choose this hour
When there was only me

Why'd we the lose the Power?
Failed before I flee
Deep down inside I know
I sensed I could never go

What about the Power?
What about A/C?
I am so enraged you see
Maglocks are engaged from me

What about the Power?
Why now here and me?
What if I don't have the time
To bring it all back online?

I am resigned to this fate
I am resigned to my fate
Will not complain of my fate

Wait for the Power...

Here’s a quick one.  Your data center lost ALL power.  Everything was drained off the battery from an extended outage.

Things boot up except one problem.  The cluster is completely offline!

But in a Server 2008 / 2008R2 cluster you could just be ok.  Check of course to ensure your connections to the iSCSI are good.   Don’t worry if you find nothing starts.  DON’T PRESS THE FORCE START CLUSTER options

Seriously don’t.  This (as the option will warn you) can BREAK the Cluster and cause a loss of configuration.

Just do the less obvious option.  Validate the Cluster.   Just literally do like you did originally.    Give it the names of the servers in the Cluster in the Validation wizard.  Even if you miss one it will check AD and populate the rest.   Don’t worry about the initial warnings and just do the basic tests.

Should take a few minutes after which you MAY well find you HAVE the Cluster back with all it’s resources.

You still might be into some cleanup, Reattaching this, bringing that online (or maybe not)

But odds are you didn’t lose it all.  Just keep your wits about you and keep it cool. Smile

”The Energized Tech”

Most four to five year old machines don’t actually suck and are pretty decent.   But if you’re a tech trying to put together  a lab to play with, you’re probably tight on resources. 

I know I was.

Hyper-V and a modern day machine sure make it easier.  But if you’re trying to build on your skill set and learn clustering, well the average iSCSI device on eBay still isn’t cheap.

Or is it?

With free solutions such as StarWind iSCSI SAN, FreeNAS or the Microsoft iSCSI Software Initiator, there’s no longer an excuse not to have a SAN to play with to practice in a REAL Clustering environment.

Here’s the cool part I ran into.   Most of these 4+ year old machines have x64 technology and can ran Server 2008R2 standard (which is the requirement for Microsoft iSCSI targetting).   A machine such as this (for a Test environment) will more than meet your needs.

Or maybe you need to set up such an environment in the office and the budget isn’t there?

You are no longer tied down to that excuse that “I can’t afford a SAN”.   Grab an old machine and use any of the following solutions

StarWind iSCSI SAN


Microsoft iSCSI Software Initiator

Get your fingers dirty and dip your feet in the “SAN” and enjoy

The Energized Tech

If you’re in a smaller environment, most of your users may have a very similar configuration.   As your environment grows you however may find it trickier to note which group to add the user to or what fax number to jot down depending upon their Division or location.

Believe it or not, it can REALLY get out of control.

So we’ve got this wonderful thing called Powershell.   It should be up to the task, and it most certainly is.

What I decided was to take my original “NEW-USER” script from the Technet Script Repository and beef it up a bit Smile

Initially I just assigned some static values to the variables since I wasn’t expecting things to grow much and really, this being my first Powershell script; I just wanted something to make my life easier.

It did too.   For 18 months, that script did the job great.   But our Division grew, we expanded the environment got more complex.    So I found myself little by little doing a task of “NEW-USER” and then go about and make some minor corrections here or there.  

After a while that can get irritating and be a real waste of time

So here was my original approach to simply have a list of variables like so

if ($max -gt 20) {$max=20}     $Sam=$Sam.Substring(0,$max)    
$Name=$Lastname+", "+$FirstName $DisplayName=$Lastname+", "+$FirstName
$Phone='212-555-0000 x111'
$Company='Contoso Rocks Ltd'
$Office='In the Basement with my stapler' # A generic description for the user  $Description='New User' $ourdomain='@contoso.local'

So for a small division, this worked.   But I needed to expand this a bit

So I head this idea I was banging about to solve this issue.  I decided to create a Hash Table containing the values unique to each Location, Division including the ability to group Security groups in bundles

Here’s a basic view of an Entry for the Contoso Domain in a little tiny itty bitty teeny weeny place called “Redmond” or as I like to think of it “the Land of the gods”

# Redmond
# Ok, fine.  So it’s not REALLY Redmond,WA but a Guy can dream can’t he?
Company=’Contoso Rocks Ltd.';
Address='1 Microsoft Way';
Office='A Secret Building – Shhhhh ';
Department='These are not the droids you are looking for';
ExchangeDatabase='CONTOSO-MAIL\First Storage Group\UberGeeks';
SecurityGroups=("Standard Contoso Documents”,
"Sharepoint2010 View”,

So if you look down, you’ll see I got fancy and created two sub arrays within the Hash Table.

The first one is “Divisions”, which if I have more than One, I can populate with their OU’s (presuming my A/D is well organized) and the standard security groups I might assign based upon the job task for the user.   That’s what the “1000” is.   A simple string that match up against my list of security groups.  “1” means you get this “Group of Groups” and “0” means no.

As I add groups to my localized entry in the HashTable, I can add the the length of the “1000” without affecting other entries.

Now that I have it as a Hash Table I can prepopulate things a bit nicer.   So if I had to setup users for Fabrikam off in say some location like Charlotte, North Carolina; I simply need to add in another entry with the configurations UNIQUE to Charlotte, I can just copy my first table and edit it to meet my needs

# Charlotte
# Yeah, seems like a fun place.  Rumor has it some ‘Scripting Guy’ lives near there Winking smile
Company=’Fabrikam CD Burning.';
StateProv='North Carolina';
Address='123 Sesame Street';
Office='A Small Brown Building';
ExchangeDatabase=’FABRIKAM-SPAM\Third Storage Group\Technet';
Divisions=,("Cookie Cutters","1000"),
(“Banana Slicers”,”1100”),
”Domain Losers”,
("Sharepoint2010 View”,

As I place them in order I can reference them as $ADconfig[0] for Contoso, $ADconfig[1] for Fabrikam etc etc.

But I’ll bet you’re wondering about those security groups and Divisions?

Catch you next time on that one.   That’s part of a “little” script going to Technet Script Repository soon.   But I’ll explain how all that works tomorrow.

THAT’S a freaking mouthful!

Let’s put that into plain ordinary English.   An array is a matrix of values.  Most of the time you have a Single level Array (One Column is how I remember it).  Something like this.


The other trick when creating these arrays is if the list is longer than the screen (which makes readability a pain).  You can also just break up the lines after each comma , like so.


This is far more readable, probably easier to count visually

So to access any of these values you would reference the position in the Array.   Say #4 for “Poodle” flavoured Jello.  Remembering of course that your arrays start at 0.



A MultiLevel Array array is actually multiple columns.   To create a MULTI level array you have to enclose each row within brackets ()

So a Multi-Leveled array would look like this.   The various sub levels can be Dynamic in size (Meaning they don’t all have to have the EXACT same amount of entries) which is part of the incredible Power in Windows Powershell


If you were to try accessing members of THIS array keying in


Would show you the list of “Pie” etc etc etc.   But since we have enclosed certain sets within Brackets they are treated as a SEPARATE array unto themselves


Would show you “Pie”.  While if you accessed


Would show you “Lemon”,”Apple” and “Chicken”.  But I can access the individual members of THAT array by specifying their position


Which shows “Chicken”.

Confused?  If I want to access the “Toad” part in “Deserts” (since I’ve decided that for some reason Frog just wasn’t on the menu) I can key in


Is you head spinning enough?  It get’s worse (or better depending on how you think) I can mix and match different types of variable IN these arrays.     But you might not do that.

The advantage to all of this is you can have a list of something where I am using this like Say Divisions in a company, And start matching up Security Groups by Division and Location.  Say I start with my organizational details like so.

$CompanyDetails=,(“New York”)

Now we can extend this to the Divisions from Each location.  Some may be larger than others.

$CompanyDetails=,(“New York”,(“Accounting”,”Management”,”AGotLost”))

Or some are a bit sillier

We could extend this that if a user was in a particular Company Location, they might have certain Security Groups to work as well.

$CompanyDetails=,(“New York”,
(“Tough Security”,”Really Tough”))

(“Better than NY”,”Look out”,”Whoops Not This Group”,”Domain Admins”))

(“Enterprise Admins”,”Fans of Powershell”))


So what you have now is an array that is 3 levels deep that you can easily build upon.   The TRICKY part in this equation is if you have to ADD to it.   So if I want to create a new entry within a specify point I have to reference the point directly and add to it. 

$CompanyDetails[2][1]+=,(“Another Stupid Security Group”)

Accessing that entry in the array will now have ANOTHER member


Another Stupid Security Group

Is this a perfect example? Probably not.  But hopefully it will give you a feel with how you can add and work with deeper arrays.   And yes.  If you go really over the top, you could build a really deep rabbit hole.

You are of course, best to store much of this information within an SQL database but sometimes we want to have the data localized to the Powershell script.

Remember, the Power of Shell is in YOU

The Energized Tech

Just a quick one I was playing with this morning.  I’ve got a used Dell server to play with in the basement.  Has a BMC but no iDrac.   But I want to be able to manage this server.  For that you would normally install the Dell Open Manage Server Administrator on the computer.  

But I’ll bet you did the same thing I initially did.  Ran the executable and got this vicious evil error.


You looked at the DVD in disbelief. “How DARE you not bow down to my wishes…” and you started digging.  Deeper into the actual SYSMGMT folder on the disk until you found the folder marked “Windows” under SRVAdmin.  “AHA!” that little voice popped up.  “I’ve got you now!” as you quickly typed in setup.exe with an evil maniacal grin

It of course responded with


You jump up and down like a madman. “No! NO! NO! NO! This is not permitted!” But then it dawns on you.  Perhaps it is simply setup.exe that is unhappy.  Most modern day applications are usually calling up the Windows Installer anyhow.  So you try each of the sub folders.   The folder called  “SystemsManagement” seems an obvious choice to look at.   Within there is one single MSI file.  “Give ‘er a shot!”

Voila ! It works!  The standard installer kicks in as normal!  You dance about with joy and glee!

Moments later you go to access it remotely from another server


Clik clik clik…. Nothing.. Not a sausage.   Perhaps it failed? 

Or perhaps the installer component that would have opened the firewall port never executed.    So an easy solution.   Fire up MMC.EXE, Add a Snapin for Windows Firewall and specify “Another computer” (the other computer being your Server Core box) and simply allow inbound UDP traffic on port 1311 to your remote server.

Moments later you’ll see that old familiar screen when you try logging in again.  Life is good.   And you’re locked down securely in Core.    I haven’t tried this with the free Hyper-V Server 2008R2 but I’m willing to bet there’s nothing there to stop it from running either Smile

There.  It worked.  Never tell a tech it can’t be done! Smile with tongue out

This is where the ITPro is beginning to cross deeper into "The Dark Side" of Development.

Ok Developers aren't actually "The Dark Side" but there is a reaction from Many ItPros when you say "Code" or "Compile" their eyes just roll deep inside their heads and their noses turn a unique shade of purple.  Some even back away as if you spoke of a greater evil.

Thus the joke "Dark Side"

So I started poking about MSDN.COM to try and learn the structure of what .NET is.  The technology as a whole isn't that scary when you start to think about it.  It's a framework.   A Framework is really what it sounds like.   A "Frame" to "Work" with the environment.

Maybe not the correct wording and if any of my Developer friends read this posting, I 'd appreciate corrections to the wording or my interpretation of this.

Within this Framework are various pieces to allow to work with Windows on a programmatic level.   Simple concepts like a FileOpenDialog or as deep as Creation and interaction with the GUI via WPF (Windows Presentation Framework)

Will I learn all of this in 24 hours?  Probably not.  Development is a passion.   .NET is an even deeper passion.  With that passion comes a skillset as well as wisdom on it's use.

But .NET is NOT something to be startled off from.  If you're an IT Professional and trying to automate something, nowadays you'll probably be using Windows Powershell which works in the .NET Framework natively.   It has many "Assemblies"  already loaded.   With .NET you'll hear reference to two key terms.  Assemblies and Namespaces.   These are two different ways .NET code are organized.

Assemblies can be found in the C:\Windows\Assemblies folders for their names.    Descriptions of what function each can perform are obtainable on msdn.microsoft.com .



To add an Assembly to Windows Powershell simply type in

ADD-TYPE -AssemblyName NameOfAssembly

So if the Assembly we needed contained features that were not presently loaded (LIKE Adodb) you would just enter in

ADD-TYPE -AssemblyName Adodb

With this loaded you could now access the


How you work with it, well I'm still figuring that part out Winking smile

The Actual assemblies, when you get down to are a .DLL file containing a Namespace.  Think of an Assembly like a Word document full of Macros.  The TITLE of the Word Document might be SwissCheese, the filename it's saved under could ALSO be called SwissCheese.docx

As Assembly is really just a .DLL file containing a Namespace full of classes.   Think of that .DLL file like the Word Document, the Namespace is the TITLE in the Document and the various Classes as Macros.

Ok, this is REALLY oversimplifying it but I raise this point because when I went online trying to learn the difference between Namespaces and Assemblies, I also found they seemed to share the same name.  This is more of a standard many hold to.    Just know that when you're trying to load a Namespace, you may hear the term "Assembly" intermixed with it.  This is normal.

Sometimes when you're trying to extend a feature to Windows Powershell where a Cmdlet does not exist, you will load the Assembly of it's .NET dll code, and reference the namespace.

If you're curious about more of this, you should check into these excellent online posts from Richard Siddaway, Lee Holmes and  Doug Finke which I used as a reference to get started.

And just for fun, I took Richard's one liner to show the Loaded Assemblies and cleaned to just list them by name. Smile

[appdomain]::CurrentDomain.GetAssemblies() | select-object FullName | Foreach { $_.FullName.split(",")[0] } | sort-object

Ok, the rest of you IT Pros can relax.  We'll return away from the deeper levels of .NET for a bit.  Knowing a little bit of what an Assembly is and Namespaces are can help you extend .Net applications to Powershell that are not presently Powershell enabled.

How often do you hear the word “FREE” without ten billion popups along with it and a trip to a strange bank?


REGISTER NOW for a FREE ONLINE Exam Cram session on June 8th from Microsoft for the following exams

Exam Preparation Sessions

Windows 7

  • Exam 70-680: TS: Windows 7, Configuring
  • Exam 70-685: PRO: Windows 7, Enterprise Desktop Support Technician
  • Exam 70-686: PRO: Windows 7, Enterprise Desktop Administrator

SQL Server

  • Exam 70-432: TS: Microsoft SQL Server 2008, Installation and Maintenance
  • Exam 70-433: TS: Microsoft SQL Server 2008, Database Development
  • Exam 70-448: TS: Microsoft SQL Server 2008, Business Intelligence Development and Maintenance

Windows Server 2008

  • Exam 70-640: TS: Windows Server 2008 Active Directory, Configuring
  • Exam 70-642: TS: Windows Server 2008 Network Infrastructure, Configuring Exam 70-646: PRO: Windows Server 2008, Server Administrator
  • Exam 70-647: PRO: Windows Server 2008, Enterprise Administrator
  • Exam 70-652: TS Windows Server Virtualization, Configuring

Windows Server 2003

  • Exam 70-290: Managing and Maintaining a Microsoft Windows Server 2003 Environment
  • Exam 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

SSo quickly go online and REGISTER NOW! IT’S FREE and SPACE is filling up FASTER than the Energized Tech can TALK!

Apparently the Powers that Be have decided I should be uncaged once in a while.

On  June 3rd 2011 If you tune in to “Technet Talk Radio” there will be a *LIVE* webcast.

Yep, they’re going to let l’il ol’ me near a Microphone and an unprotected computer.   Check it out, who knows how this will turn out !

Click on HERE to Register for this FREE Webcast

Also happening on “Hey Scripting Guy” for an ENTIRE WEEK starting June 6th 2011 all the way to (and including) June 12th 2011 are 7 COMPLETE Posts from myself based upon Windows Powershell and how YOU can leverage Windows Powershell in Legacy environments as well as a little fun on  Sunday.

Check it out, you might learn something, you might have a little fun

You might just get a little “ENERGIZED”

This scenario is assuming you have a popular Remote Access Application called “Radmin” (Remote Administrator).  It’s a simple Remote Access tool I used to use myself in the field.  But sometimes you may want to audit the use of of.  IE:  Who is logging in and when and where and from what?

Here’s our first part, make sure Security logging on the computer in question is enabled.  Most Domain Controllers that are Windows 2003 and Higher will have this enabled, Lower may not.  If you need to check on whether it’s enabled locally just run SECPOL.MSC and ensure under “Audit Policy” that “Success” and “Failure” logging is enabled for both “Audit account logon events” as well as “Audit logon events”

With this switch flipped over you can now watch and track every time somebody accesses that Server.  It will log within the Security log in the Event Viewer.   the particular event ID we need to watch for is 4624 (Account Logon Success) and 4625 (Account Logon Failure)

With this in mind, with Powershell we can use the GET-EVENTLOG Cmdlet against the system to pull down the details.  I’m using the Legacy one intentionally so that we COULD leverage this solution against a Server 2000/2003 environment as well

Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’

The problem is that this Cmdlet will pull down the Entire pile of from the Beginning of Security Logging Time.  So we need to minimize.  Fortunately in Windows Powershell we can manipulate things by Date and Time, As just so happens the GET-WINEVENT has an –after parameter for us to specify a date or time.  I’d like to see ONLY events that happened “15 minutes before Now”


Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW

Now we have a smaller pile.  But let’s say we needed to know when Mr.Smith was accessing this particular server, and we’d like a notification please…


Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW –Message “*Mr.Smith*”

I can store this away in a Variable in Windows Powershell and use a simple Boolean check


# Instance ID is a Numerical Event In the Log.  4624 is a Successful login, 4625 is a failed logon

$Results=(Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW –Message “*Mr.Smith*”)

# Hopefully the rest of this makes sense


$Notify='The Person In Charge <Me@contoso.com>'

$Subject='Warning Will Robinson – Intruder'

$Body='Somebody is Poking at the Server Again'

$From='Your Friendly Neighbourhood Spiderman <securitymonitor@contoso.com>'

IF $Results { SEND-MAILMESSAGE -From $From -to $Notify -Subject $Subject -body $Body -SmtpServer $SMTPSERVER }

This is of course something you would have to schedule with appropriate rights in the task scheduler (I think Local System should have the rights, but if not a local Administrator account)

Now here’s where things get easier.    If the server in Question was running Server 2008 or Server 2008R2 you could just go in the EventViewer and Schedule a Task when certain events are triggered.




Follow the simple Step by Step wizard and you can actually have the Server NOTIFY YOU by email directly if certain EventID’s (such as a successful logon) have occurred (IE: Radmin).  To get VERY specific you’ll have to go into the properties of that newly scheduled task and play with editing the XML Query directly (IE: Notify me if Mr.Smith logged in and is poking about with my server via Radmin)

Radmin is just one of many applications out there.  What is good to know is that a) Most applications register something in the Event logs (or can) and that with the free resources at your hand YOU CAN monitor those logs and generate email notifications to yourself.

If you have Radmin in use, I highly recommend monitoring it’s use, not just for auditing purposes; but it IS an often unwatched key to the house.  Being aware of its’ use is often a boon to security that’s often forgotten

The Energized Tech