I want to scan the security event viewer log to find out who added a user to the local administrator group. So here is where I am at:
get-eventlog -logname "security" -computername TestMachine | where-object {$_.EventID -eq 4732} | format-list message
So what I want to do now is this:
1. Currently this pulls all the event i.d.’s with 4732, is there a way I only pull the first record? I have tried “select -first 1” and am not sure why its not working???
2. How can I pull the data in the Subject: Account Name: Field out so I can add it to an array that I will later on export into a .csv?
3. Under the Member: field the Security ID is a SID and it leaves a blank for the account name, how can I convert that SID into the “Account Name?”