Hi All,
I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:
Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects
Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:
https://community.spiceworks.com/topic/2144503-how-to-get-everything-and-i-mean-everything-about-your-ad-users-into-a-csv
The problem is the following:
1. Once the script is deployed from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
2. At the first scheduled attempt (and for the next ones), the script runs but generates an output containing most of all the fields, but the majority of them are empty. The only one with values are: **DistinguishedName, GivenName, Name, ObjectGuid, SamAccountName, SID, UserPrincipalName, PropertyCount**
3. If the script is deployed again from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
for info here the inputs.conf
[powershell://myscriptedinput]
script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0
Do you have any idea why this could happen?
Thanks a lot,
Edoardo
↧