Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

Get-EventsLibrary.ps1 – Monitoring Events PowerShell

Event Monitoring v0.6

This event library (Get-EventsLibrary.ps1) is PowerShell script that parses Security (mostly) logs on Domain Controllers. It has few reports capabilities including sending group membership changes, user changes, user lockouts, user creation, user password change. When setting up as Task Schedule it can send daily, monthly, quarterly reports to your email about changes happening in your domain. Please note this code has been deprecated and there's better, faster, more robust version called PSWinReporting. Same idea, but better execution. This code below is left for educational purpose only!

For example:
You can easily see the user being added or removed from Domain Admins group
You can easily change your HelpDesk agent did a change of password for your boss 

Best of all since it's all read from Active Directory DC there is no way to tamper with it (unless someone clears out the logs of DC's but then you've got a bigger problem on your hands).

PSWinReporting Information
Please notice this article contains parts of information (still useful) and may not reflect all functionalities of this module. For download, source code and so on you should refer to the dedicated PSWinReporting module page. After reading this one… of course! It contains useful informationexamples and know-how.
Powershell Script Parameters

Usage of the script is quite simple. There are 2 scripts in play:
Get-Events.ps1 (or however you call it) – this your configuration script and script you actually setup for Task Scheduler

Get-EventsLibrary.ps1 – this is the main library doing all the heavy lifting. Do NOT modify it as most of the settings should be configured/disabled in the file above. This file is supposed to be easily replaceable with new versions when they come with more features, bug fixes and so on.

First file (Get-Events.ps1) contains all the configuration and a starter part. Make sure to fill out 3 hash tables as seen below:

$EmailParameters – have been tested on Office 365, tested on relays 
$FormattingParameters – essentially branding of your report (logo size, log link, fonts used in report)
$ReportOptions – what should be run and when

Make sure the that GetEventsLibraryPath is correct.

$GetEventsLibraryPath = "C:\Support\Scripts\Includes\Get-EventsLibrary.ps1" # THIS IS REQUIRED!!

And then simply run the script. If you're lucky enough you will get it right the first try.

Event Monitoring v0.6

If not go thru errors reported. Try to enable just some reports, in the beginning, to see if the configuration file is correct.

What's new

You can find version changes below:

Version 0.8 – Updates from feedback. Lots of changes, new dates supported. Details can be found on separate blog post.
Version 0.7 – Updates from feedback. Details can be found on separate blog post.
Version 0.6 – Updates from feedback. Details can be found on separate blog post.
Version 0.5 – First Public Release

Powershell Script Get-Events.ps1 (configuration file)
Clear-Host

# OPTIONS TO FILL IN
$GetEventsLibraryPath = "C:\Support\Scripts\Includes\Get-EventsLibrary.ps1" # THIS IS REQUIRED!!

$EmailParameters = @{
    EmailFrom            = "[email protected]"
    EmailTo              = "[email protected], [email protected]"
    EmailCC              = ""
    EmailBCC             = ""
    EmailServer          = "smtp.office365.com" 
    EmailServerPassword  = "YourPassword"
    EmailServerPort      = "587"
    EmailServerLogin     = "[email protected]"
    EmailServerEnableSSL = 1
    EmailEncoding        = "Unicode" 
    EmailSubject         = "[Reporting] Event Changes for period <<DateFrom>> to <<DateTo>>"
    EmailPriority        = "Low" # Normal, High
}
$FormattingParameters = @{
    CompanyBranding   = @{
        Logo = "https://evotec.xyz/wp-content/uploads/2015/05/Logo-evotec-012.png"
        Width = "200"
        Height = ""
        Link = "https://evotec.xyz"
    }     
    FontFamily        = "Calibri Light"
    FontSize          = "9pt"
    FontHeadingFamily = "Calibri Light"
    FontHeadingSize   = "12pt"
}
$ReportOptions = @{
    JustTestPrerequisite            = $false # runs testing without actually running script
    OnlyPrimaryDC                   = $false # usually should query all DC's but for testing can query just one (PrimaryDC)

    IncludeDomainControllers        = $true    
    IncludeGroupEvents              = $true 
    IncludeUserEvents               = $true
    IncludeUserStatuses             = $true
    IncludeUserLockouts             = $true
    IncludeDomainControllersReboots = $false 
    IncludeLogonEvents              = $false # DO NOT USE - NOT FINISHED
    IncludeGroupPolicyChanges       = $false # DO NOT USE - NOT FINISHED
    IncludeClearedLogs              = $false # DO NOT USE - NOT FINISHED
    IncludeEventLogSize             = @{
        Use    = $true
        Logs   = "Security"#, "Application"
        SortBy = ""
    } 

    # Report Per Hour
    ReportPastHour                  = $false # if it's 23:22 it will report 22:00 till 23:00
    ReportCurrentHour               = $false # if it's 23:22 it will report 23:00 till 00:00
    # Report Per Day
    ReportPastDay                   = $false # if it's 1.04.2018 it will report 31.03.2018 00:00:00 till 01.04.2018 00:00:00
    ReportCurrentDay                = $false # if it's 1.04.2018 05:22 it will report 1.04.2018 00:00:00 till 01.04.2018 00:00:00
    # Report Per Week 
    ReportOnDay                     = @{
        Use  = $true
        Days = "Monday"#, "Tuesday"
    } 
    # Report Per Month
    ReportPastMonth                 = @{
        Use   = $true # checks for 1st day of the month - won't run on any other day unless used force
        Force = $false  # if true - runs always ... 
    } 
    ReportCurrentMonth              = $false

    # Report Per Quarter
    ReportPastQuarter               = @{
        Use   = $true # checks for 1st day fo the quarter - won't run on any other day
        Force = $false
    }
    ReportCurrentQuarter            = $false
    # Report Custom
    ReportCurrentDayMinusDayX       = @{
        Use  = $false
        Days = 7    # goes back X days and shows just 1 day
    } 
    ReportCurrentDayMinuxDaysX      = @{
        Use  = $false
        Days = 3 # goes back X days and shows X number of days till Today
    }     
    ReportCustomDate                = @{
        Use      = $false
        DateFrom = get-date -Year 2018 -Month 03 -Day 19
        DateTo   = get-date -Year 2018 -Month 03 -Day 23
    }

    # AsExcel requires Import-Module ImportExcel
    AsExcel                         = $true # attaches Excel to email with all events
    AsCSV                           = $false # attaches CSV to email with all events,
    AsHTML                          = $true # puts exported data into email directly with all events
    SendMail                        = $true
    KeepReports                     = $true # keeps files after reports are sent (only if AssExcel/AsCSV are in use)
    KeepReportsPath                 = "C:\Support\Reports\ExportedEvents" # if empty, temp path is used
    FilePattern                     = "Evotec-ADMonitoredEvents-<currentdate>.xlsx"
    FilePatternDateFormat           = "yyyy-MM-dd-HH_mm_ss"

    DisplayConsole                  = @{
        ShowTime   = $true
        LogFile    = ""
        TimeFormat = "yyyy-MM-dd HH:mm:ss"
    }
}

### DO NOT EDIT ANYTHING BELOW ###
if (Test-Path $GetEventsLibraryPath) {
    .$GetEventsLibraryPath
}
else {
    Write-Warning "Get-EventsLibrary.ps1 not available. Please make sure to edit path to that library in global includes above - variable GetEventsLibraryPath."
    Write-Warning "In case you don't have the library you can always download it at https://evotec.xyz/hub/scripts/get-eventslibrary-ps1/"
    Exit    
}

Start-Reporting $EmailParameters $ReportOptions $FormattingParameters
PSWinReporting Information
Please notice this article contains parts of information (still useful) and may not reflect all functionalities of this module. For download, source code and so on you should refer to the dedicated PSWinReporting module page. After reading this one… of course! It contains useful informationexamples and know-how.
Powershell Script Get-EventsLibrary.ps1 download

Following library Get-EventsLibrary.ps1 is core file for reporting of events via email.

Report Group Events
Report User Events
Report User Statuses
Report User Lockouts
Report Domain Controller Reboots – not finished
Report Logon Events – not finished

If you prefer to just copy/paste code below you can find full code for the Get-EventsLibrary.ps1.

Troubleshooting - Configuration Options

Following error message is related to GetEventsLibraryPath being wrong.

Get-EventsLibrary.ps1 Error

WARNING: Get-EventsLibrary.ps1 not available. Please make sure to edit path to that library in global includes above - variable GetEventsLibraryPath.
WARNING: In case you don't have the library you can always download it at https://evotec.xyz/hub/scripts/get-eventslibrary-ps1/

You should make sure to fill out

# OPTIONS TO FILL IN
$GetEventsLibraryPath = "C:\Support\Scripts\Includes\Get-EventsLibrary.ps1" # THIS IS REQUIRED!!
Troubleshooting - Configuration Options

It's important to try and start the script manually first, before setting it up as Scheduled Task. When you run the script for the first time you may get following information:

Please make sure the config file matches new version requirements. This usually means following code is missing under $ReportOptions.

    DisplayConsole                  = @{
        ShowTime   = $true
        LogFile    = ""
        TimeFormat = "yyyy-MM-dd HH:mm:ss"
    }

Since script utilizes Write-Color function those options are needed for centralized settings.

Troubleshooting - Configuration Options

You can also find yourself with some of the settings missing from the config file. Make sure to fix it up. It doesn't check the values, just that parameters exist. This feature is supposed to protect script from running if new Get-EventsLibrary.ps1 has some options that don't exist in the running report's script.

WARNING: [i] Testing for configuration consistency. This is to make sure the script can be safely executed...
[2018-03-25 20:00:28][i] Testing for missing parameters in configuration of ConfigurationReport.DisplayConsole has succeeded. All parameters exists.
[2018-03-25 20:00:28][i] Testing for missing parameters in configuration of ConfigurationReport has succeeded. All parameters exists.
[2018-03-25 20:00:28][i] Testing for missing parameters in configuration of EmailParameters has succeeded. All parameters exists.
[2018-03-25 20:00:28][i] Testing for missing parameters in configuration of FormattingParameters has succeeded. All parameters exists.
[2018-03-25 20:00:28][i] Testing for prerequisite availability...
[2018-03-25 20:00:28][+] ImportExcel module found. Importing... please wait...
[2018-03-25 20:00:28][+] ImportExcel module imported. Continuing...
[2018-03-25 20:00:28][+] ActiveDirectory module found. Importing... please wait...
[2018-03-25 20:00:28][+] ActiveDirectory module imported. Continuing...
[2018-03-25 20:00:37][-] Active Directory not found. Please run this script with access to Domain Controllers.
PSWinReporting Information
Please notice this article contains parts of information (still useful) and may not reflect all functionalities of this module. For download, source code and so on you should refer to the dedicated PSWinReporting module page. After reading this one… of course! It contains useful informationexamples and know-how.
Powershell Script Get-EventsLibrary.ps1 source code
<#
    .SYNOPSIS
    This PowerShell script can generate report according to your defined parameters and monitor for changes that happen on users and groups in Active Directory.
    .DESCRIPTION
    This PowerShell script can generate report according to your defined parameters and monitor for changes that happen on users and groups in Active Directory.

    It can tell you:
    - When and who changed the group membership of any group within your Active Directory Domain
    - When and who changed the user data including Password, UserPrincipalName, SamAccountName, and so on…
    - When and who changed passwords
    - When and who locked out account and where did it happen
    .NOTES
    Version:        0.8
    Author:         Przemyslaw Klys <przemyslaw.klys at evotec.pl>
    Creation Date:  23.03.2018
    Modifcation Date: 15.04.2018

    TODO:
    - DirectoryPattern                = $true # adds to reports path Hourly \ Monthly \ Quarterly \ Custom ("C:\Support\Reports\Hourly")
    - Fixes for reports

    Changelog 0.8 - 15.04.2018
        Basic
        - Rebuilt config file (again, sorry for that)
        - Rebuilt Test-Configuration to report what's wrong with configuration (limited capability)
        - Changes and fixes for Send-Mail function
        - Few other changes
        New Dates
        - ReportPastHour - if it's 23:22 it will report 22:00 till 23:00
        - ReportCurrentHour - if it's 23:22 it will report 23:00 till 00:00
        - ReportOnDay - weekly report - choose a day to send the report
        - ReportCurrentDayMinusDayX - goes back X days and shows just 1 day
        - ReportCurrentDayMinuxDaysX - goes back X days and shows all days till today
        - ReportCustomDate - custom dates
        New reports:
        - IncludeEventLogSize -
        - Preparations for IncludeGroupPolicyChanges - doesn't work yet (DO NOT SET TO TRUE)
        - Preparations for IncludeClearedLogs - doesn't work yet (DO NOT SET TO TRUE)
        - Preparations for IncludeLogonEvents - doesn't work yet (DO NOT SET TO TRUE)
        New options:
        - SendMail - setting deciding if report should be sent (you may want to just keep the XLSX/CSV files)
        - KeepReports - when set files are kept, if not files are deleted after sending
        - Added AsCSV - althought it's easier to work with Excel
        - JustTestPrerequisite - checks config file for errors and terminates

    Changelog 0.7 - 27.03.2018
        Basic
        - Fixed display issues with Write-Color inconsistency
        - Fixed small code optimizations
        - Added error handling for event listng (would error out on Windows 2003 controllers) - only Windows 2008/R2 and up are supported
        - Added Supported column
        - Moved Test-Prerequisite from config file to Library

    Changelog 0.6 - 25.03.2018
        Basic
        - Changed configuration settings
        - Added option to attach excel files instead of inline html tables
        - Added option to send via relay smtp (just put empty string in EmailServerLogin - probably port 25 but depends on configuration of server)
        - Added verification if modules are available
        - Added verification if Get-EventsLibrary.ps1 is available
        - Added verification if configuration is consistent (all required options defined) - doesn't check for values - this should prevent possible issues with new versions of Get-EventsLibrary.ps1
        - Added report for custom dates
        - Added option to choose AsHTML or/and AsExcel - you can have Excel attached along with tables inline in email or just one of those

    Changelog 0.5 - 23.03.2018
    - First public version

    Newest version of the script is always available at: https://evotec.xyz/hub/scripts/get-eventslibrary-ps1/

    Additonal notes for self for using it later
    Users https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter8#UAM
    4720: A user account was created                                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4720
    4722: A user account was enabled                                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
    4725: A user account was disabled                                   https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4725
    4726: A user account was deleted                                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4726
    4738: A user account was changed                                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4738
    4740: A user account was locked out.                                https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
    4767: A user account was unlocked.                                  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
    4781: The name of an account was changed                            https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
    4723: An attempt was made to change an account's password           https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4723
    4724: An attempt was made to reset an accounts password             https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724

    .EXAMPLE
    Examples of usage can be found at https://evotec.xyz/monitoring-active-directory-changes-on-users-and-groups-with-powershell
#>
Set-StrictMode -Version Latest

# Default value / overwritten if set in config
$global:WriteParameters = @{
    ShowTime = $true
    LogFile = ""
    TimeFormat = "yyyy-MM-dd HH:mm:ss"
}

Function Get-ModulesAvailability ([string]$Name) {
    if (-not(Get-Module -name $name)) {
        if (Get-Module -ListAvailable | Where-Object { $_.name -eq $name }) {
            try {
                Import-Module -Name $name
                return $true
            } catch {
                return $false
            }
        } else { return $false } #module not available
    } else { return $true } #module already loaded
}
function Test-Key ($ConfigurationTable, $ConfigurationSection = "", $ConfigurationKey, $DisplayProgress = $false) {
    if ($ConfigurationTable -eq $null) { return $false }
    try {
        $value = $ConfigurationTable.ContainsKey($ConfigurationKey)
    } catch {
        $value = $false
    }
    if ($value -eq $true) {
        if ($DisplayProgress -eq $true) {
            Write-Color @Global:WriteParameters -Text "[i] ", "Parameter in configuration of ", "$ConfigurationSection.$ConfigurationKey", " exists." -Color White, White, Green, White
        }
        return $true
    } else {
        if ($DisplayProgress -eq $true) {
            Write-Color @Global:WriteParameters -Text "[i] ", "Parameter in configuration of ", "$ConfigurationSection.$ConfigurationKey", " doesn't exist." -Color White, White, Red, White
        }
        return $false
    }
}
function Test-Configuration ($EmailParameters, $ReportOptions, $FormattingParameters) {
    Write-Warning "[i] Testing for configuration consistency. This is to make sure the script can be safely executed..."
    if ($EmailParameters -eq $null -or $ReportOptions -eq $null -or $FormattingParameters -eq $null) {
        Write-Warning "[i] There is not enough parameters passed to the Start-Reporting. Make sure there are 4 parameter groups (hashtables). Check documentation - you would be better to just start from scratch!"
        Exit
    }
    Write-Color @Global:WriteParameters -Text "[t] ", "Testing for missing parameters in configuration...", "Keep tight!" -Color White, White, Yellow
    $ConfigurationFormatting = @()
    $ConfigurationReport = @()
    $ConfigurationEmail = @()

    #region EmailParameters

    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailFrom" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailTo" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailCC" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailBCC" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailServer" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailServerPassword" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailServerPort" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailServerLogin" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailServerEnableSSL" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailEncoding" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailSubject" -DisplayProgress $true
    $ConfigurationEmail += Test-Key $EmailParameters "EmailParameters" "EmailPriority" -DisplayProgress $true
    #endregion EmailParameters
    #region FormattingParameters
    #  Write-Color @Global:WriteParameters -Text "[t] ", "Testing for missing parameters in configuration of ", "FormattingParameters", "..." -Color White, White, Yellow
    $ConfigurationFormatting += Test-Key $FormattingParameters "FormattingParameters" "CompanyBranding" -DisplayProgress $true
    if ($ConfigurationFormatting[ - 1] -eq $true) {
        $ConfigurationFormatting += Test-Key $FormattingParameters.CompanyBranding "FormattingParameters.CompanyBranding" "Logo" -DisplayProgress $true
        $ConfigurationFormatting += Test-Key $FormattingParameters.CompanyBranding "FormattingParameters.CompanyBranding" "Width" -DisplayProgress $true
        $ConfigurationFormatting += Test-Key $FormattingParameters.CompanyBranding "FormattingParameters.CompanyBranding" "Height" -DisplayProgress $true
        $ConfigurationFormatting += Test-Key $FormattingParameters.CompanyBranding "FormattingParameters.CompanyBranding" "Link" -DisplayProgress $true
    }
    $ConfigurationFormatting += Test-Key $FormattingParameters "FormattingParameters" "FontFamily" -DisplayProgress $true
    $ConfigurationFormatting += Test-Key $FormattingParameters "FormattingParameters" "FontSize" -DisplayProgress $true
    $ConfigurationFormatting += Test-Key $FormattingParameters "FormattingParameters" "FontHeadingFamily" -DisplayProgress $true
    $ConfigurationFormatting += Test-Key $FormattingParameters "FormattingParameters" "FontHeadingSize" -DisplayProgress $true
    #endregion FormattingParameters
    #region ReportOptions Reports
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "OnlyPrimaryDC" -DisplayProgress $true

    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeDomainControllers" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeClearedLogs"    -DisplayProgress $true

    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeGroupEvents" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeUserEvents" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeUserStatuses" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeUserLockouts" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeDomainControllersReboots" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeLogonEvents" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeGroupPolicyChanges" -DisplayProgress $true

    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "IncludeEventLogSize" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.IncludeEventLogSize "ReportOptions.IncludeEventLogSize" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.IncludeEventLogSize "ReportOptions.IncludeEventLogSize" "Logs" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.IncludeEventLogSize "ReportOptions.IncludeEventLogSize" "SortBy" -DisplayProgress $true
    }
    #endregion ReportOptions Reports

    #region ReportOptions Per Hour
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportPastHour" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentHour" -DisplayProgress $true
    #endregion ReportOptions Per Hour
    #region ReportOptions Per Day
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportPastDay" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentDay" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportOnDay" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportOnDay "ReportOptions.ReportOnDay" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportOnDay "ReportOptions.ReportOnDay" "Days" -DisplayProgress $true
    }
    #region ReportOptions Per Month
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportPastMonth" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportPastMonth "ReportOptions.ReportPastMonth" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportPastMonth "ReportOptions.ReportPastMonth" "Force" -DisplayProgress $true
    }
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentMonth" -DisplayProgress $true
    #endregion ReportOptions Per Month
    #region ReportOptions Per Quarter

    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportPastQuarter" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportPastQuarter "ReportOptions.ReportPastQuarter" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportPastQuarter "ReportOptions.ReportPastQuarter" "Force" -DisplayProgress $true
    }
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentQuarter" -DisplayProgress $true
    #endregion ReportOptions Per Quarter
    #region ReportOptions Custom Dates
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentDayMinusDayX" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportCurrentDayMinusDayX "ReportOptions.ReportCurrentDayMinusDayX" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportCurrentDayMinusDayX "ReportOptions.ReportCurrentDayMinusDayX" "Days" -DisplayProgress $true
    }
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCurrentDayMinuxDaysX" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportCurrentDayMinuxDaysX "ReportOptions.ReportCurrentDayMinuxDaysX" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportCurrentDayMinuxDaysX "ReportOptions.ReportCurrentDayMinuxDaysX" "Days" -DisplayProgress $true
    }
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "ReportCustomDate" -DisplayProgress $true
    if ($ConfigurationReport[ - 1] -eq $true) {
        $ConfigurationReport += Test-Key $ReportOptions.ReportCustomDate "ReportOptions.ReportCustomDate" "Use" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportCustomDate "ReportOptions.ReportCustomDate" "DateFrom" -DisplayProgress $true
        $ConfigurationReport += Test-Key $ReportOptions.ReportCustomDate "ReportOptions.ReportCustomDate" "DateTo" -DisplayProgress $true
    }
    #endregion ReportOptions Custom Dates

    #region ReportOptions Options
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "AsExcel" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "AsCSV" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "AsHTML" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "SendMail" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "KeepReportsPath" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "FilePattern" -DisplayProgress $true
    $ConfigurationReport += Test-Key $ReportOptions "ReportOptions" "FilePatternDateFormat" -DisplayProgress $true
    #endregion ReportOptions Options
    if ($ConfigurationFormatting -notcontains $false -and $ConfigurationReport -notcontains $false -and $ConfigurationEmail -notcontains $false) {
        return $true
    } else {
        return $false
    }
}
Function Test-Prerequisite ([hashtable] $EmailParameters, [hashtable] $ReportOptions, [hashtable]  $FormattingParameters) {
    $Configuration = Test-Configuration $EmailParameters $ReportOptions $FormattingParameters
    if (-not $Configuration) {
        Write-Color @Global:WriteParameters "[i] ", "There are parameters missing in configuration file. Can't continue running...", "Terminated!" -Color White, Yellow, Red
        Exit
    }

    Write-Color @Global:WriteParameters "[i] ", "Testing for prerequisite availability..." -Color White, Yellow
    $ImportExcel = Get-ModulesAvailability -Name "ImportExcel"
    if ($ImportExcel -eq $true) {
        Write-Color @Global:WriteParameters  "[+] ", "ImportExcel", " module found. Importing... please wait..." -Color White, Green, White
        Import-Module ImportExcel
        Write-Color @Global:WriteParameters  "[+] ", "ImportExcel", " module imported. Continuing..." -Color White, Green, White
    } else {
        Write-Color @Global:WriteParameters  "[-] ", "ImportExcel", " module not found." -Color White, Red, White
        if ($ReportOptions.AsExcel -eq $true) {
            Write-Color @Global:WriteParameters  "[-] ", "ImportExcel ", "module is not installed. Disable ", "AsExcel", " under ", "ReportOptions", " option before rerunning this script." -Color White, Red, White, Yellow, White, Yellow, White
            Write-Color @Global:WriteParameters  "[-] ", "Alternatively run ", "Install-Module -Name ImportExcel", " before re-running this script. It's quite useful module!" -Color White, White, Yellow, White
            Write-Color @Global:WriteParameters  "[-] ", "If ", "Install-Module", " is not there as well (", "poor you - running older system are you?", ") you need to download PackageManagement PowerShell Modules." -Color White, White, Yellow, White, Yellow, White
            Write-Color @Global:WriteParameters  "[-] ", "It can be found at ", "https://www.microsoft.com/en-us/download/details.aspx?id=51451", ". After download, install and re-run Install-Module again." -Color White, White, Yellow, White
        }
    }
    $ImportActiveDirectory = Get-ModulesAvailability -Name "ActiveDirectory"
    if ($ImportActiveDirectory -eq $true) {
        Write-Color @Global:WriteParameters  "[+] ", "ActiveDirectory", " module found. Importing... please wait..." -Color White, Green, White
        Import-Module ActiveDirectory
        Write-Color @Global:WriteParameters  "[+] ", "ActiveDirectory", " module imported. Continuing..." -Color White, Green, White
    } else {
        Write-Color @Global:WriteParameters  "[-] ", "ActiveDirectory", " module not found." -Color White, Red, White
        Write-Color @Global:WriteParameters  "[-] ", "ActiveDirectory", " module is ", "critical", " for operation of this script." -Color White, Red, White, Red, White
        Write-Color @Global:WriteParameters  "[-] ", "Please make sure it's available on the machine before running this script" -Color White, Red
    }
    try {
        $TestActiveDirectory = get-addomain
        $AdIsAvailable = $true
    } catch {
        if ($_.Exception -match "Unable to find a default server with Active Directory Web Services running.") {
            Write-Color @Global:WriteParameters "[-] ", "Active Directory", " not found. Please run this script with access to ", "Domain Controllers." -Color White, Red, White, Red
        }
        Write-Color @Global:WriteParameters "[-] ", "Error: $($_.Exception.Message)" -Color White, Red
        $AdIsAvailable = $false
    }

    if ($ImportActiveDirectory -eq $true -and (($ReportOptions.AsExcel -eq $true -and $ImportExcel -eq $true) -or $ReportOptions.AsExcel -eq $false) -and $AdIsAvailable -eq $true) {
        return #$true
    } else {
        Exit
        #return $false
    }
}
Function ConvertTo-FlatObject {
    <#
    .SYNOPSIS
        Flatten an object to simplify discovery of data

    .DESCRIPTION
        Flatten an object.  This function will take an object, and flatten the properties using their full path into a single object with one layer of properties.

        You can use this to flatten XML, JSON, and other arbitrary objects.

        This can simplify initial exploration and discovery of data returned by APIs, interfaces, and other technologies.

        NOTE:
            Use tools like Get-Member, Select-Object, and Show-Object to further explore objects.
            This function does not handle certain data types well.  It was original designed to expand XML and JSON.

    .PARAMETER InputObject
        Object to flatten

    .PARAMETER Exclude
        Exclude any nodes in this list.  Accepts wildcards.

        Example:
            -Exclude price, title

    .PARAMETER ExcludeDefault
        Exclude default properties for sub objects.  True by default.

        This simplifies views of many objects (e.g. XML) but may exclude data for others (e.g. if flattening a process, ProcessThread properties will be excluded)

    .PARAMETER Include
        Include only leaves in this list.  Accepts wildcards.

        Example:
            -Include Author, Title

    .PARAMETER Value
        Include only leaves with values like these arguments.  Accepts wildcards.

    .PARAMETER MaxDepth
        Stop recursion at this depth.

    .INPUTS
        Any object

    .OUTPUTS
        System.Management.Automation.PSCustomObject

    .EXAMPLE

        #Pull unanswered PowerShell questions from StackExchange, Flatten the data to date a feel for the schema
        Invoke-RestMethod "https://api.stackexchange.com/2.0/questions/unanswered?order=desc&sort=activity&tagged=powershell&pagesize=10&site=stackoverflow" |
            ConvertTo-FlatObject -Include Title, Link, View_Count

            $object.items[0].owner.link : http://stackoverflow.com/users/1946412/julealgon
            $object.items[0].view_count : 7
            $object.items[0].link       : http://stackoverflow.com/questions/26910789/is-it-possible-to-reuse-a-param-block-across-multiple-functions
            $object.items[0].title      : Is it possible to reuse a 'param' block across multiple functions?
            $object.items[1].owner.link : http://stackoverflow.com/users/4248278/nitin-tyagi
            $object.items[1].view_count : 8
            $object.items[1].link       : http://stackoverflow.com/questions/26909879/use-powershell-to-retreive-activated-features-for-sharepoint-2010
            $object.items[1].title      : Use powershell to retreive Activated features for sharepoint 2010
            ...

    .EXAMPLE

        #Set up some XML to work with
        $object = [xml]'
            <catalog>
               <book id="bk101">
                  <author>Gambardella, Matthew</author>
                  <title>XML Developers Guide</title>
                  <genre>Computer</genre>
                  <price>44.95</price>
               </book>
               <book id="bk102">
                  <author>Ralls, Kim</author>
                  <title>Midnight Rain</title>
                  <genre>Fantasy</genre>
                  <price>5.95</price>
               </book>
            </catalog>'

        #Call the flatten command against this XML
            ConvertTo-FlatObject $object -Include Author, Title, Price

            #Result is a flattened object with the full path to the node, using $object as the root.
            #Only leaf properties we specified are included (author,title,price)

                $object.catalog.book[0].author : Gambardella, Matthew
                $object.catalog.book[0].title  : XML Developers Guide
                $object.catalog.book[0].price  : 44.95
                $object.catalog.book[1].author : Ralls, Kim
                $object.catalog.book[1].title  : Midnight Rain
                $object.catalog.book[1].price  : 5.95

        #Invoking the property names should return their data if the orginal object is in $object:
            $object.catalog.book[1].price
                5.95

            $object.catalog.book[0].title
                XML Developers Guide

    .EXAMPLE

        #Set up some XML to work with
            [xml]'<catalog>
               <book id="bk101">
                  <author>Gambardella, Matthew</author>
                  <title>XML Developers Guide</title>
                  <genre>Computer</genre>
                  <price>44.95</price>
               </book>
               <book id="bk102">
                  <author>Ralls, Kim</author>
                  <title>Midnight Rain</title>
                  <genre>Fantasy</genre>
                  <price>5.95</price>
               </book>
            </catalog>' |
                ConvertTo-FlatObject -exclude price, title, id

        Result is a flattened object with the full path to the node, using XML as the root.  Price and title are excluded.

            $Object.catalog                : catalog
            $Object.catalog.book           : {book, book}
            $object.catalog.book[0].author : Gambardella, Matthew
            $object.catalog.book[0].genre  : Computer
            $object.catalog.book[1].author : Ralls, Kim
            $object.catalog.book[1].genre  : Fantasy

    .EXAMPLE
        #Set up some XML to work with
            [xml]'<catalog>
               <book id="bk101">
                  <author>Gambardella, Matthew</author>
                  <title>XML Developers Guide</title>
                  <genre>Computer</genre>
                  <price>44.95</price>
               </book>
               <book id="bk102">
                  <author>Ralls, Kim</author>
                  <title>Midnight Rain</title>
                  <genre>Fantasy</genre>
                  <price>5.95</price>
               </book>
            </catalog>' |
                ConvertTo-FlatObject -Value XML*, Fantasy

        Result is a flattened object filtered by leaves that matched XML* or Fantasy

            $Object.catalog.book[0].title : XML Developers Guide
            $Object.catalog.book[1].genre : Fantasy

    .EXAMPLE
        #Get a single process with all props, flatten this object.  Don't exclude default properties
        Get-Process | select -first 1 -skip 10 -Property * | ConvertTo-FlatObject -ExcludeDefault $false

        #NOTE - There will likely be bugs for certain complex objects like this.
                For example, $Object.StartInfo.Verbs.SyncRoot.SyncRoot... will loop until we hit MaxDepth. (Note: SyncRoot is now addressed individually)

    .NOTES
        I have trouble with algorithms.  If you have a better way to handle this, please let me know!

    .FUNCTIONALITY
        General Command
    #>
    [cmdletbinding()]
    param(

        [parameter( Mandatory = $True,
            ValueFromPipeline = $True)]
        [PSObject[]]$InputObject,

        [string[]]$Exclude = "",

        [bool]$ExcludeDefault = $True,

        [string[]]$Include = $null,

        [string[]]$Value = $null,

        [int]$MaxDepth = 10
    )
    Begin {
        #region FUNCTIONS

        #Before adding a property, verify that it matches a Like comparison to strings in $Include...
        Function IsIn-Include {
            param($prop)
            if (-not $Include) {$True}
            else {
                foreach ($Inc in $Include) {
                    if ($Prop -like $Inc) {
                        $True
                    }
                }
            }
        }

        #Before adding a value, verify that it matches a Like comparison to strings in $Value...
        Function IsIn-Value {
            param($val)
            if (-not $Value) {$True}
            else {
                foreach ($string in $Value) {
                    if ($val -like $string) {
                        $True
                    }
                }
            }
        }

        Function Get-Exclude {
            [cmdletbinding()]
            param($obj)

            #Exclude default props if specified, and anything the user specified.  Thanks to Jaykul for the hint on [type]!
            if ($ExcludeDefault) {
                Try {
                    $DefaultTypeProps = @( $obj.gettype().GetProperties() | Select -ExpandProperty Name -ErrorAction Stop )
                    if ($DefaultTypeProps.count -gt 0) {
                        Write-Verbose "Excluding default properties for $($obj.gettype().Fullname):`n$($DefaultTypeProps | Out-String)"
                    }
                } Catch {
                    Write-Verbose "Failed to extract properties from $($obj.gettype().Fullname): $_"
                    $DefaultTypeProps = @()
                }
            }

            @( $Exclude + $DefaultTypeProps ) | Select -Unique
        }

        #Function to recurse the Object, add properties to object
        Function Recurse-Object {
            [cmdletbinding()]
            param(
                $Object,
                [string[]]$path = '$Object',
                [psobject]$Output,
                $depth = 0
            )

            # Handle initial call
            Write-Verbose "Working in path $Path at depth $depth"
            Write-Debug "Recurse Object called with PSBoundParameters:`n$($PSBoundParameters | Out-String)"
            $Depth++

            #Exclude default props if specified, and anything the user specified.
            $ExcludeProps = @( Get-Exclude $object )

            #Get the children we care about, and their names
            $Children = $object.psobject.properties | Where {$ExcludeProps -notcontains $_.Name }
            Write-Debug "Working on properties:`n$($Children | select -ExpandProperty Name | Out-String)"

            #Loop through the children properties.
            foreach ($Child in @($Children)) {
                $ChildName = $Child.Name
                $ChildValue = $Child.Value

                Write-Debug "Working on property $ChildName with value $($ChildValue | Out-String)"
                # Handle special characters...
                if ($ChildName -match '[^a-zA-Z0-9_]') {
                    $FriendlyChildName = "{$ChildName}"
                } else {
                    $FriendlyChildName = $ChildName
                }

                #Add the property.
                if ((IsIn-Include $ChildName) -and (IsIn-Value $ChildValue) -and $Depth -le $MaxDepth) {
                    $ThisPath = @( $Path + $FriendlyChildName ) -join "."
                    $Output | Add-Member -MemberType NoteProperty -Name $ThisPath -Value $ChildValue
                    Write-Verbose "Adding member '$ThisPath'"
                }

                #Handle null...
                if ($ChildValue -eq $null) {
                    Write-Verbose "Skipping NULL $ChildName"
                    continue
                }

                #Handle evil looping.  Will likely need to expand this.  Any thoughts on a better approach?
                if (
                    (
                        $ChildValue.GetType() -eq $Object.GetType() -and
                        $ChildValue -is [datetime]
                    ) -or
                    (
                        $ChildName -eq "SyncRoot" -and
                        -not $ChildValue
                    )
                ) {
                    Write-Verbose "Skipping $ChildName with type $($ChildValue.GetType().fullname)"
                    continue
                }

                #Check for arrays
                $IsArray = @($ChildValue).count -gt 1
                $count = 0

                #Set up the path to this node and the data...
                $CurrentPath = @( $Path + $FriendlyChildName ) -join "."

                #Exclude default props if specified, and anything the user specified.
                $ExcludeProps = @( Get-Exclude $ChildValue )

                #Get the children's children we care about, and their names.  Also look for signs of a hashtable like type
                $ChildrensChildren = $ChildValue.psobject.properties | Where {$ExcludeProps -notcontains $_.Name }

                $HashKeys = if ($ChildValue.Keys -notlike $null -and $ChildValue.Values) {
                    $ChildValue.Keys
                } else {
                    $null
                }
                Write-Debug "Found children's children $($ChildrensChildren | select -ExpandProperty Name | Out-String)"
                #>
                #If we aren't at max depth or a leaf...
                if (
                    (@($ChildrensChildren).count -ne 0 -or $HashKeys) -and
                    $Depth -lt $MaxDepth
                ) {
                    #This handles hashtables.  But it won't recurse...
                    if ($HashKeys) {
                        Write-Verbose "Working on hashtable $CurrentPath"
                        foreach ($key in $HashKeys) {
                            Write-Verbose "Adding value from hashtable $CurrentPath['$key']"
                            $Output | Add-Member -MemberType NoteProperty -name "$CurrentPath['$key']" -value $ChildValue["$key"]
                            $Output = Recurse-Object -Object $ChildValue["$key"] -Path "$CurrentPath['$key']" -Output $Output -depth $depth
                        }
                    }
                    #Sub children?  Recurse!
                    else {
                        if ($IsArray) {
                            foreach ($item in @($ChildValue)) {
                                Write-Verbose "Recursing through array node '$CurrentPath'"
                                $Output = Recurse-Object -Object $item -Path "$CurrentPath[$count]" -Output $Output -depth $depth
                                $Count++
                            }
                        } else {
                            Write-Verbose "Recursing through node '$CurrentPath'"
                            $Output = Recurse-Object -Object $ChildValue -Path $CurrentPath -Output $Output -depth $depth
                        }
                    }
                }
            }

            $Output
        }

        #endregion FUNCTIONS
    }
    Process {
        Foreach ($Object in $InputObject) {
            #Flatten the XML and write it to the pipeline
            Recurse-Object -Object $Object -Output $( New-Object -TypeName PSObject )
        }
    }
}
function Add-ToHashTable($Hashtable, $Key, $Value) {
    if ($value -ne $null) {
        $Hashtable.Add($Key, $value)
    }
}
function ConvertFrom-SID ($Sid) {
    $KnownSIDs = @{
        'S-1-0' = 'Null Authority'
        'S-1-0-0' = 'Nobody'
        'S-1-1' = 'World Authority'
        'S-1-1-0' = 'Everyone'
        'S-1-2' = 'Local Authority'
        'S-1-2-0' = 'Local'
        'S-1-2-1' = 'Console Logon'
        'S-1-3' = 'Creator Authority'
        'S-1-3-0' = 'Creator Owner'
        'S-1-3-1' = 'Creator Group'
        'S-1-3-2' = 'Creator Owner Server'
        'S-1-3-3' = 'Creator Group Server'
        'S-1-3-4' = 'Owner Rights'
        'S-1-5-80-0' = 'All Services'
        'S-1-4' = 'Non-unique Authority'
        'S-1-5' = 'NT Authority'
        'S-1-5-1' = 'Dialup'
        'S-1-5-2' = 'Network'
        'S-1-5-3' = 'Batch'
        'S-1-5-4' = 'Interactive'
        'S-1-5-6' = 'Service'
        'S-1-5-7' = 'Anonymous'
        'S-1-5-8' = 'Proxy'
        'S-1-5-9' = 'Enterprise Domain Controllers'
        'S-1-5-10' = 'Principal Self'
        'S-1-5-11' = 'Authenticated Users'
        'S-1-5-12' = 'Restricted Code'
        'S-1-5-13' = 'Terminal Server Users'
        'S-1-5-14' = 'Remote Interactive Logon'
        'S-1-5-15' = 'This Organization'
        'S-1-5-17' = 'This Organization'
        'S-1-5-18' = 'Local System'
        'S-1-5-19' = 'NT Authority'
        'S-1-5-20' = 'NT Authority'
        'S-1-5-32-544' = 'Administrators'
        'S-1-5-32-545' = 'Users'
        'S-1-5-32-546' = 'Guests'
        'S-1-5-32-547' = 'Power Users'
        'S-1-5-32-548' = 'Account Operators'
        'S-1-5-32-549' = 'Server Operators'
        'S-1-5-32-550' = 'Print Operators'
        'S-1-5-32-551' = 'Backup Operators'
        'S-1-5-32-552' = 'Replicators'
        'S-1-5-64-10' = 'NTLM Authentication'
        'S-1-5-64-14' = 'SChannel Authentication'
        'S-1-5-64-21' = 'Digest Authority'
        'S-1-5-80' = 'NT Service'
        'S-1-5-83-0' = 'NT VIRTUAL MACHINE\Virtual Machines'
        'S-1-16-0' = 'Untrusted Mandatory Level'
        'S-1-16-4096' = 'Low Mandatory Level'
        'S-1-16-8192' = 'Medium Mandatory Level'
        'S-1-16-8448' = 'Medium Plus Mandatory Level'
        'S-1-16-12288' = 'High Mandatory Level'
        'S-1-16-16384' = 'System Mandatory Level'
        'S-1-16-20480' = 'Protected Process Mandatory Level'
        'S-1-16-28672' = 'Secure Process Mandatory Level'
        'S-1-5-32-554' = 'BUILTIN\Pre-Windows 2000 Compatible Access'
        'S-1-5-32-555' = 'BUILTIN\Remote Desktop Users'
        'S-1-5-32-556' = 'BUILTIN\Network Configuration Operators'
        'S-1-5-32-557' = 'BUILTIN\Incoming Forest Trust Builders'
        'S-1-5-32-558' = 'BUILTIN\Performance Monitor Users'
        'S-1-5-32-559' = 'BUILTIN\Performance Log Users'
        'S-1-5-32-560' = 'BUILTIN\Windows Authorization Access Group'
        'S-1-5-32-561' = 'BUILTIN\Terminal Server License Servers'
        'S-1-5-32-562' = 'BUILTIN\Distributed COM Users'
        'S-1-5-32-569' = 'BUILTIN\Cryptographic Operators'
        'S-1-5-32-573' = 'BUILTIN\Event Log Readers'
        'S-1-5-32-574' = 'BUILTIN\Certificate Service DCOM Access'
        'S-1-5-32-575' = 'BUILTIN\RDS Remote Access Servers'
        'S-1-5-32-576' = 'BUILTIN\RDS Endpoint Servers'
        'S-1-5-32-577' = 'BUILTIN\RDS Management Servers'
        'S-1-5-32-578' = 'BUILTIN\Hyper-V Administrators'
        'S-1-5-32-579' = 'BUILTIN\Access Control Assistance Operators'
        'S-1-5-32-580' = 'BUILTIN\Remote Management Users'
    }
    foreach ($id in $sid) {
        if ($name = $KnownSIDs[$id]) { }
        else {
            #Try to translate the SID to an account
            Try {
                $objSID = New-Object System.Security.Principal.SecurityIdentifier($id)
                $name = ( $objSID.Translate([System.Security.Principal.NTAccount]) ).Value
            } Catch {
                $name = $sid # returns sid if unable to name
            }
        }
        return @{ SID = $id
            Name = $name
        }

    }

}

function Get-Events($ADDomainControllers, [DateTime] $DateFrom, [DateTime] $DateTo, $EventIds, $LogType = 'Security', $ProviderName = "") {
    $Allevents = @()

    foreach ($AdServer in $ADDomainControllers) {
        Write-Color @Global:WriteParameters "[i] Processing domain controller ", "$($AdServer)", " for events ", "$EventIds" -Color White, Yellow, White, Green
        if ($ProviderName -eq "") {
            $EventFilter = @{Logname = $LogType; Id = $EventIds; StartTime = $DateFrom; EndTime = $DateTo  }
        } else {
            $EventFilter = @{Logname = $LogType; Id = $EventIds; StartTime = $DateFrom; EndTime = $DateTo ; ProviderName = $ProviderName }
        }
        $Events = @()
        try {
            $Events = Get-WinEvent -FilterHashtable $EventFilter -ComputerName $AdServer -ErrorAction Stop
            $EventsCount = ($Events | Measure-Object).Count
            Write-Color "[i] Events processed: ", "$EventsCount" -Color White, Yellow
        } catch {
            if ($_.Exception -match "No events were found that match the specified selection criteria") {
                Write-Color @Global:WriteParameters "[i] No events found"
            } elseif ($_.Exception -match "There are no more endpoints available from the endpoint") {
                Write-Color @Global:WriteParameters "[i] Error connecting to domain controller ", "$($AdServer)", ". Server will be skipped..." -Color White, Red, White
                Write-Color @Global:WriteParameters "[i] Error: ", "$($_.Exception.Message)" -Color White, Red
            } else {
                Write-Color @Global:WriteParameters "[i] Error reported when checking domain controller ", "$($AdServer)", " for events. Server will be skipped..." -Color White, Red, White
                Write-Color @Global:WriteParameters "[i] Error: ", "$($_.Exception.Message)" -Color White, Red
            }
            continue
        }
        # Parse out the event message data
        ForEach ($Event in $Events) {
            # Convert the event to XML
            $eventXML = [xml]$Event.ToXml()
            # Iterate through each one of the XML message properties
            Add-Member -InputObject $Event -MemberType NoteProperty -Name "Computer" -Value $event.MachineName.ToString() -Force
            Add-Member -InputObject $Event -MemberType NoteProperty -Name "Date" -Value $Event.TimeCreated -Force

            # Get-Member -inputobject $eventXML.Event

            if (Get-Member -inputobject $eventXML.Event.EventData -name "Data" -Membertype Properties) {
                if (Get-Member -inputobject $eventXML.Event.EventData.Data -name "Count" -Membertype Properties) {
                    For ($i = 0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
                        if (Get-Member -inputobject $eventXML.Event.EventData.Data[$i] -name "Name" -Membertype Properties) {
                            $fieldName = $eventXML.Event.EventData.Data[$i].Name
                        } else {
                            $fieldName = ""
                        }
                        if (Get-Member -inputobject $eventXML.Event.EventData.Data[$i] -name "#text" -Membertype Properties) {
                            $fieldValue = $eventXML.Event.EventData.Data[$i].'#text'
                            if ($fieldValue -eq "-".Trim()) { $fieldValue = $fieldValue -replace "-" }
                        } else {
                            $fieldValue = ""
                        }
                        # Append these as object properties
                        if ($fieldName -ne "") {
                            Add-Member -InputObject $Event -MemberType NoteProperty -Name $fieldName -Value $fieldValue -Force
                        }
                    }
                }
            }
        }
        $Allevents += $events

    }
    $EventsProcessed = ($Allevents | Measure-Object).Count
    Write-Color @Global:WriteParameters "[i] Events processed in total for the report: ", "$EventsProcessed" -Color White, Yellow
    return $Allevents
}
function Get-CustomReport($Servers, $Dates, $ReportOptions, $EventIDs, $LogType) {
    $Events = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $EventIDs -ReportOptions $ReportOptions -LogType $LogType
    $EventsOutput = $Events | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'Group Name'; expression = { $_.TargetUserName }},
    @{label = 'Member Name'; expression = {$_.MemberName -replace '^CN=|,.*$' }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $EventsOutput = $EventsOutput | Sort-Object When
    return $EventsOutput
}

function Get-EventLogClearedLogs($Servers, $Dates) {
    $EventID = 1102
    $Events = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $EventID -LogType "Security" -ProviderName "Microsoft-Windows-Eventlog"
    $EventsOutput = $Events | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    return $EventsOutput
}

function Get-GroupPolicyChanges ($Servers, $Dates) {
    $EventID = 5136, 5137, 5141
    # 5136 Group Policy changes, value changes, links, unlinks.
    # 5137 Group Policy creations.
    # 5141 Group Policy deletions.

    Write-Color @Global:WriteParameters "[i] Running ", "Group Policy Changes Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $GroupMembershipChanges = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $EventID
    $GroupMembershipChangesOutput = $GroupMembershipChanges
    <#
      $GroupMembershipChangesOutput = $GroupMembershipChanges | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
      @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
      @{label = 'Group Name'; expression = { $_.TargetUserName }},
      @{label = 'Member Name'; expression = {$_.MemberName -replace '^CN=|,.*$' }},
      @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
      @{label = 'When'; expression = { $_.Date }},
      @{label = 'Event ID'; expression = { $_.ID }},
      @{label = 'Record ID'; expression = { $_.RecordId }}

      #$GroupMembershipChangesOutput = $GroupMembershipChangesOutput | Sort-Object When
    #>
    Write-Color @Global:WriteParameters "[i] Ending ", "Group Policy Changes Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $GroupMembershipChangesOutput
}

function Get-GroupChanges($Servers, $Dates, $ReportOptions) {
    # 4755: A security-enabled universal group was changed                https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4755
    $GroupChangesEventID = 4755
    return Get-CustomReport $Servers $Dates -ReportOptions $ReportOptions $GroupChangesEventID -LogType "System"
}
function Get-LogonEvents($Servers, $Dates, $ReportOptions) {

    Write-Color @Global:WriteParameters "[i] Running ", "Logon Events Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White

    # 4624: An account was successfully logged on
    # 4634: An account was logged off
    # 4647: User initiated logoff
    # 4672: Special privileges assigned to new logon                     https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672

    $EventIDs = 4624 #, 4364, 4647, 4672
    $Events = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $EventIDs -ReportOptions $ReportOptions -LogType "Security"
    Write-Color @Global:WriteParameters "[i] Ending ", "Logon Events Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $Events
}
function Get-RebootEvents($servers, $Dates, $ReportOptions) {

    Write-Color @Global:WriteParameters "[i] Running ", "Reboot Events Report (Troubleshooting Only)", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White

    # -LogName "System" -Provider "User32"
    # -LogName "System" -Provider "Microsoft-Windows-WER-SystemErrorReporting" -EventID 1001, 1018
    # -LogName "System" -Provider "Microsoft-Windows-Kernel-General" -EventID 1, 12, 13
    # -LogName "System" -Provider "Microsoft-Windows-Kernel-Power" -EventID 42, 41, 109
    # -LogName "System" -Provider "Microsoft-Windows-Power-Troubleshooter" -EventID 1
    # -LogName "System" -Provider "Eventlog" -EventID 6005, 6006, 6008, 6013

    $EventIds = 1001, 1018, 1, 12, 13, 42, 41, 109, 1, 6005, 6006, 6008, 6013
    $Events = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $EventIds -ReportOptions $ReportOptions -LogType "System"
    Write-Color @Global:WriteParameters "[i] Ending ", "Reboot Events Report (Troubleshooting Only)", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $Events | Select-Object ID, Computer, TimeCreated, Message
}
function Get-GroupCreateDelete($Servers, $Dates, $ReportOptions) {

    # 4727: A security-enabled global group was created                   https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4727
    # 4730: A security-enabled global group was deleted                   https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730

    # 4731: A security-enabled local group was created                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4731
    # 4734: A security-enabled local group was deleted                    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4734

    # 4759: A security-disabled universal group was created               https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4759
    # 4760: A security-disabled universal group was changed               https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4760

    # 4754: A security-enabled universal group was created.              https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4754
    # 4758: A security-enabled universal group was deleted                https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756
    Write-Color @Global:WriteParameters "[i] Running ", "Group Create/Delete Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $GroupMembershipChangesEventID = 4727, 4730, 4731, 4734, 4759, 4760, 4754, 4758
    $GroupMembershipChanges = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $GroupMembershipChangesEventID -ReportOptions $ReportOptions
    $GroupMembershipChangesOutput = $GroupMembershipChanges | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'Group Name'; expression = { $_.TargetUserName }},
    @{label = 'Member Name'; expression = {$_.MemberName -replace '^CN=|,.*$' }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $GroupMembershipChangesOutput = $GroupMembershipChangesOutput | Sort-Object When
    Write-Color @Global:WriteParameters "[i] Ending ", "Group Create/Delete Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $GroupMembershipChangesOutput
}
function Get-GroupMembershipChanges($Servers, $Dates, $ReportOptions) {

    # Events processed
    # 4728: A member was added to a security-enabled global group -       https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
    # 4729: A member was removed from a security-enabled global group     https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
    # 4732: A member was added to a security-enabled local group -  -     https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4732
    # 4733: A member was removed from a security-enabled local group -    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4733
    # 4756: A member was added to a security-enabled universal group      https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756
    # 4757: A member was removed from a security-enabled universal group  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4757
    # 4761: A member was added to a security-disabled universal group     https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4761
    # 4762: A member was removed from a security-disabled universal group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4762

    Write-Color @Global:WriteParameters "[i] Running ", "Group Membership Changes Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $GroupMembershipChangesEventID = 4728, 4729, 4732, 4733, 4756, 4757, 4761, 4762
    $GroupMembershipChanges = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $GroupMembershipChangesEventID -ReportOptions $ReportOptions
    $GroupMembershipChangesOutput = $GroupMembershipChanges | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'Group Name'; expression = { $_.TargetUserName }},
    @{label = 'Member Name'; expression = {$_.MemberName -replace '^CN=|,.*$' }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $GroupMembershipChangesOutput = $GroupMembershipChangesOutput | Sort-Object When
    Write-Color @Global:WriteParameters "[i] Ending ", "Group Membership Changes Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $GroupMembershipChangesOutput
}
function Get-UserStatuses($Servers, $Dates, $ReportOptions) {

    Write-Color @Global:WriteParameters "[i] Running ", "User Statues Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $UserChangesID = 4722, 4725, 4767, 4723, 4724, 4726
    $UserChanges = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $UserChangesID -ReportOptions $ReportOptions
    $UserChangesOutput = $UserChanges | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'User Affected'; expression = { "$($_.TargetDomainName)\$($_.TargetUserName)" }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $UserChangesOutput = $UserChangesOutput | Sort-Object When
    Write-Color @Global:WriteParameters "[i] Ending ", "User Statues Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $UserChangesOutput
}

function Get-UserLockouts($Servers, $Dates, $ReportOptions) {

    Write-Color @Global:WriteParameters "[i] Running ", "User Lockouts Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $UserChangesID = 4740
    $UserChanges = Get-Events -ADDomainControllers $Servers -DateFrom $Dates.DateFrom -DateTo $Dates.DateTo -EventID $UserChangesID -ReportOptions $ReportOptions
    $UserChangesOutput = $UserChanges | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'Computer Lockout On'; expression = { "$($_.TargetDomainName)" }},
    @{label = 'User Affected'; expression = { "$($_.TargetUserName)" }},
    @{label = 'Reported By'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { ($_.Date) }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $UserChangesOutput = $UserChangesOutput | Sort-Object When
    Write-Color @Global:WriteParameters "[i] Ending ", "User Lockouts Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $UserChangesOutput

}
function Get-UserChanges($Servers, $Dates, $ReportOptions) {

    Write-Color @Global:WriteParameters "[i] Running ", "User Changes Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    $userChangesCleanedUp = @()
    $UserChangesID = 4720, 4738
    $UserChanges = Get-Events -ADDomainControllers $Servers -DateFrom $($Dates.DateFrom) -DateTo $($Dates.DateTo) -EventID $UserChangesID -ReportOptions $ReportOptions
    # Cleanup Anonymous LOGON (usually related to password events)
    # https://social.technet.microsoft.com/Forums/en-US/5b2a93f7-7101-43c1-ab53-3a51b2e05693/eventid-4738-user-account-was-changed-by-anonymous?forum=winserverDS
    #$userChanges

    foreach ($u in $UserChanges) {
        if ($u.SubjectUserName -eq "ANONYMOUS LOGON") { }
        else { $userChangesCleanedUp += $u }
    }
    $UserChangesOutput = $userChangesCleanedUp | Select-Object @{label = 'Domain Controller'; expression = { $_.Computer}} ,
    @{label = 'Action'; expression = { ($_.Message -split '\n')[0] }},
    @{label = 'User Affected'; expression = { "$($_.TargetDomainName)\$($_.TargetUserName)" }},
    @{label = 'SamAccountName'; expression = { $_.SamAccountName }},
    @{label = 'Display Name'; expression = { $_.DisplayName }},
    @{label = 'UserPrincipalName'; expression = { $_.UserPrincipalName }},
    @{label = 'Home Directory'; expression = { $_.HomeDirectory }},
    @{label = 'Home Path'; expression = { $_.HomePath }},
    @{label = 'Script Path'; expression = { $_.ScriptPath }},
    @{label = 'Profile Path'; expression = { $_.ProfilePath }},
    @{label = 'User Workstations'; expression = { $_.UserWorkstations }},
    @{label = 'Password Last Set'; expression = { $_.PasswordLastSet }},
    @{label = 'Account Expires'; expression = { $_.AccountExpires }},
    @{label = 'Primary Group Id'; expression = { $_.PrimaryGroupId }},
    @{label = 'Allowed To Delegate To'; expression = { $_.AllowedToDelegateTo }},
    @{label = 'Old Uac Value'; expression = { Convert-UAC $_.OldUacValue }},
    @{label = 'New Uac Value'; expression = { Convert-UAC $_.NewUacValue }},
    @{label = 'User Account Control'; expression = {
            foreach ($u in $_.UserAccountControl) {
                Convert-UAC ($u -replace "%%", "")
            }
        }
    },
    @{label = 'User Parameters'; expression = { $_.UserParameters }},
    @{label = 'Sid History'; expression = { $_.SidHistory }},
    @{label = 'Logon Hours'; expression = { $_.LogonHours }},
    @{label = 'Who'; expression = { "$($_.SubjectDomainName)\$($_.SubjectUserName)" }},
    @{label = 'When'; expression = { $_.Date }},
    @{label = 'Event ID'; expression = { $_.ID }},
    @{label = 'Record ID'; expression = { $_.RecordId }}
    $UserChangesOutput = $UserChangesOutput | Sort-Object When
    Write-Color @Global:WriteParameters "[i] Ending ", "User Lockouts Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    return $UserChangesOutput
}
function Write-Color([String[]]$Text, [ConsoleColor[]]$Color = "White", [int]$StartTab = 0, [int] $LinesBefore = 0, [int] $LinesAfter = 0, [string] $LogFile = "", $TimeFormat = "yyyy-MM-dd HH:mm:ss", [switch] $ShowTime, [switch] $NoNewLine) {
    # Author: przemyslaw.klys at evotec.pl
    # version 0.3
    # - added -ShowTime
    # - added -NoNewLine
    # version 0.2
    # - added logging to file
    # version 0.1
    # - first draft
    #
    # Notes:
    # - TimeFormat https://msdn.microsoft.com/en-us/library/8kb3ddd4.aspx

    $DefaultColor = $Color[0]
    if ($LinesBefore -ne 0) {  for ($i = 0; $i -lt $LinesBefore; $i++) { Write-Host "`n" -NoNewline } } # Add empty line before
    if ($ShowTime) { Write-Host "[$([datetime]::Now.ToString($TimeFormat))]" -NoNewline} # Add Time before output
    if ($StartTab -ne 0) {  for ($i = 0; $i -lt $StartTab; $i++) { Write-Host "`t" -NoNewLine } }  # Add TABS before text
    if ($Color.Count -ge $Text.Count) {
        for ($i = 0; $i -lt $Text.Length; $i++) { Write-Host $Text[$i] -ForegroundColor $Color[$i] -NoNewLine }
    } else {
        for ($i = 0; $i -lt $Color.Length ; $i++) { Write-Host $Text[$i] -ForegroundColor $Color[$i] -NoNewLine }
        for ($i = $Color.Length; $i -lt $Text.Length; $i++) { Write-Host $Text[$i] -ForegroundColor $DefaultColor -NoNewLine }
    }
    if ($NoNewLine -eq $true) { Write-Host -NoNewline } else { Write-Host } # Support for no new line
    if ($LinesAfter -ne 0) {  for ($i = 0; $i -lt $LinesAfter; $i++) { Write-Host "`n" } }  # Add empty line after
    if ($LogFile -ne "") {
        $TextToFile = ""
        for ($i = 0; $i -lt $Text.Length; $i++) {
            $TextToFile += $Text[$i]
        }
        Write-Output "[$([datetime]::Now.ToString($TimeFormat))]$TextToFile" | Out-File $LogFile -Encoding unicode -Append
    }
}
function Send-Email ([hashtable] $EmailParameters, [string] $Body = "", $Attachment = $null, [string] $Subject = "", $To = "") {
    #     $SendMail = Send-Email -EmailParameters $EmailParameters -Body $EmailBody -Attachment $Reports -Subject $TemporarySubject
    #  Preparing the Email properties
    $SmtpClient = New-Object -TypeName system.net.mail.smtpClient
    $SmtpClient.host = $EmailParameters.EmailServer

    # Adding parameters to login to server
    $SmtpClient.Port = $EmailParameters.EmailServerPort
    if ($EmailParameters.EmailServerLogin -ne "") {
        $SmtpClient.Credentials = New-Object System.Net.NetworkCredential($EmailParameters.EmailServerLogin, $EmailParameters.EmailServerPassword)
    }
    $SmtpClient.EnableSsl = $EmailParameters.EmailServerEnableSSL
    $MailMessage = New-Object -TypeName system.net.mail.mailmessage
    $MailMessage.From = $EmailParameters.EmailFrom
    if ($To -ne "") {
        foreach ($T in $To) { $MailMessage.To.add($($T)) }
    } else {
        if ($EmailParameters.Emailto -ne "") {
            foreach ($To in $EmailParameters.Emailto) { $MailMessage.To.add($($To)) }
        }
    }
    if ($EmailParameters.EmailCC -ne "") {
        foreach ($CC in $EmailParameters.EmailCC) { $MailMessage.CC.add($($CC)) }
    }
    if ($EmailParameters.EmailBCC -ne "") {
        foreach ($BCC in $EmailParameters.EmailBCC) { $MailMessage.BCC.add($($BCC)) }
    }
    $MailMessage.IsBodyHtml = 1
    if ($Subject -eq "") {
        $MailMessage.Subject = $EmailParameters.EmailSubject
    } else {
        $MailMessage.Subject = $Subject
    }
    $MailMessage.Body = $Body
    $MailMessage.Priority = [System.Net.Mail.MailPriority]::$($EmailParameters.EmailPriority)

    #  Encoding
    $MailMessage.BodyEncoding = [System.Text.Encoding]::$($EmailParameters.EmailEncoding)
    $MailMessage.SubjectEncoding = [System.Text.Encoding]::$($EmailParameters.EmailEncoding)

    #  Attaching file (s)
    if ($Attachment -ne $null) {
        foreach ($Attach in $Attachment) {
            if (Test-Path $Attach) {
                $File = new-object Net.Mail.Attachment($Attach)
                $MailMessage.Attachments.Add($File)
            }
        }
    }

    #  Sending the Email
    try {
        $SmtpClient.Send($MailMessage)
        #$att.Dispose();
        $MailMessage.Dispose();
        return @{
            Status = $True
            Error = ""
        }
    } catch {
        $MailMessage.Dispose();
        return @{
            Status = $False
            Error = $($_.Exception.Message)
        }
    }

}
Function Convert-UAC ([int]$UAC) {
    $PropertyFlags = @(s
        "SCRIPT",
        "ACCOUNTDISABLE",
        "RESERVED",
        "HOMEDIR_REQUIRED",
        "LOCKOUT",
        "PASSWD_NOTREQD",
        "PASSWD_CANT_CHANGE",
        "ENCRYPTED_TEXT_PWD_ALLOWED",
        "TEMP_DUPLICATE_ACCOUNT",
        "NORMAL_ACCOUNT",
        "RESERVED",
        "INTERDOMAIN_TRUST_ACCOUNT",
        "WORKSTATION_TRUST_ACCOUNT",
        "SERVER_TRUST_ACCOUNT",
        "RESERVED",
        "RESERVED",
        "DONT_EXPIRE_PASSWORD",
        "MNS_LOGON_ACCOUNT",
        "SMARTCARD_REQUIRED",
        "TRUSTED_FOR_DELEGATION",
        "NOT_DELEGATED",
        "USE_DES_KEY_ONLY",
        "DONT_REQ_PREAUTH",
        "PASSWORD_EXPIRED",
        "TRUSTED_TO_AUTH_FOR_DELEGATION",
        "RESERVED",
        "PARTIAL_SECRETS_ACCOUNT"
        "RESERVED"
        "RESERVED"
        "RESERVED"
        "RESERVED"
        "RESERVED"
    )
    #Possibility 1: One property per line (commented because I use the second one)
    #1..($PropertyFlags.Length) | Where-Object {$UAC -bAnd [math]::Pow(2,$_)} | ForEach-Object {$PropertyFlags[$_]}

    #Possibility 2: One line for all properties (suits my script better)
    $Attributes = ""
    1..($PropertyFlags.Length) | Where-Object {$UAC -bAnd [math]::Pow(2, $_)} | ForEach-Object {If ($Attributes.Length -EQ 0) {$Attributes = $PropertyFlags[$_]} Else {$Attributes = $Attributes + ", " + $PropertyFlags[$_]}}
    Return $Attributes
}
function Find-DatesQuarterLast ([bool] $Force) {
    #https://blogs.technet.microsoft.com/dsheehan/2017/09/21/use-powershell-to-determine-the-first-day-of-the-current-calendar-quarter/
    $Today = (Get-Date).AddDays(-90)
    $Yesterday = ((Get-Date).AddDays(-1))
    $Quarter = [Math]::Ceiling($Today.Month / 3)
    $LastDay = [DateTime]::DaysInMonth([Int]$Today.Year.ToString(), [Int]($Quarter * 3))
    $StartDate = (get-date -Year $Today.Year -Month ($Quarter * 3 - 2) -Day 1).Date
    $EndDate = (get-date -Year $Today.Year -Month ($Quarter * 3) -Day $LastDay).Date.AddDays(1).AddTicks(-1)

    if ($Force -eq $true -or $Yesterday.Date -eq $EndDate.Date) {
        $DateParameters = @{
            DateFrom = $StartDate
            DateTo = $EndDate
        }
        return $DateParameters
    } else {
        return $null
    }
}
function Find-DatesQuarterCurrent ([bool] $Force) {
    $Today = (Get-Date)
    $Quarter = [Math]::Ceiling($Today.Month / 3)
    $LastDay = [DateTime]::DaysInMonth([Int]$Today.Year.ToString(), [Int]($Quarter * 3))
    $StartDate = (get-date -Year $Today.Year -Month ($Quarter * 3 - 2) -Day 1).Date
    $EndDate = (get-date -Year $Today.Year -Month ($Quarter * 3) -Day $LastDay).Date.AddDays(1).AddTicks(-1)
    $DateParameters = @{
        DateFrom = $StartDate
        DateTo = $EndDate
    }
    return $DateParameters
}
function Find-DatesMonthPast ([bool] $Force) {
    $DateToday = (Get-Date).Date
    $DateMonthFirstDay = (GET-DATE -Day 1).Date
    $DateMonthPreviousFirstDay = $DateMonthFirstDay.AddMonths(-1)

    if ($Force -eq $true -or $DateToday -eq $DateMonthFirstDay) {
        $DateParameters = @{
            DateFrom = $DateMonthPreviousFirstDay
            DateTo = $DateMonthFirstDay
        }
        return $DateParameters
    } else {
        return $null
    }
}
function Find-DatesMonthCurrent () {
    $DateMonthFirstDay = (GET-DATE -Day 1).Date
    $DateMonthLastDay = GET-DATE $DateMonthFirstDay.AddMonths(1).AddSeconds(-1)

    $DateParameters = @{
        DateFrom = $DateMonthFirstDay
        DateTo = $DateMonthLastDay
    }
    return $DateParameters
}
function Find-DatesDayPrevious () {
    $DateToday = (GET-DATE).Date
    $DateYesterday = $DateToday.AddDays(-1)

    $DateParameters = @{
        DateFrom = $DateYesterday
        DateTo = $dateToday
    }
    return $DateParameters
}
function Find-DatesDayToday () {
    $DateToday = (GET-DATE).Date
    $DateTodayEnd = $DateToday.AddDays(1).AddSeconds(-1)

    $DateParameters = @{
        DateFrom = $DateToday
        DateTo = $DateTodayEnd
    }
    return $DateParameters
}
function Find-DatesPastHour () {
    $DateTodayEnd = Get-Date -Minute 0 -Second 0 -Millisecond 0
    $DateTodayStart = $DateTodayEnd.AddHours(-1)

    $DateParameters = @{
        DateFrom = $DateTodayStart
        DateTo = $DateTodayEnd
    }
    return $DateParameters
}

function Find-DatesCurrentHour () {
    $DateTodayStart = (Get-Date -Minute 0 -Second 0 -Millisecond 0)
    $DateTodayEnd = $DateTodayStart.AddHours(1)

    $DateParameters = @{
        DateFrom = $DateTodayStart
        DateTo = $DateTodayEnd
    }
    return $DateParameters
}

function Find-DatesCurrentDayMinusDayX ($days) {
    $DateTodayStart = (Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0).AddDays( - $Days)
    $DateTodayEnd = (Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0).AddDays(1).AddDays( - $Days).AddMilliseconds(-1)

    $DateParameters = @{
        DateFrom = $DateTodayStart
        DateTo = $DateTodayEnd
    }
    return $DateParameters
}
function Find-DatesCurrentDayMinuxDaysX ($days) {
    $DateTodayStart = (Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0).AddDays( - $Days)
    $DateTodayEnd = (Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0).AddDays(1).AddMilliseconds(-1)

    $DateParameters = @{
        DateFrom = $DateTodayStart
        DateTo = $DateTodayEnd
    }
    return $DateParameters
}

function Find-DatesPastWeek($DayName) {
    $DateTodayStart = Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0
    if ($DateTodayStart.DayOfWeek -ne $DayName) {
        return $null
    }
    $DateTodayEnd = (Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0).AddDays(-7)
    $DateParameters = @{
        DateFrom = $DateTodayEnd
        DateTo = $DateTodayStart
    }
    return $DateParameters

}

function Set-ReportFileName($ReportOptions, $ReportExtension, $ReportName = "") {
    $ReportTime = $(get-date -f $ReportOptions.FilePatternDateFormat)
    if ($ReportOptions.KeepReportsPath -ne "") { $Path = $ReportOptions.KeepReportsPath} else { $Path = $env:TEMP }
    $ReportPath = $Path + "\" + $ReportOptions.FilePattern
    $ReportPath = $ReportPath -replace "<currentdate>", $ReportTime
    if ($ReportName -ne "") {
        $ReportPath = $ReportPath.Replace(".<extension>", "-$ReportName.$ReportExtension")
    } else {
        $ReportPath = $ReportPath.Replace(".<extension>", ".$ReportExtension")
    }
    return $ReportPath
}

function Convert-Size {
    # Original - https://techibee.com/powershell/convert-from-any-to-any-bytes-kb-mb-gb-tb-using-powershell/2376
    #
    # Changelog - Modified 30.03.2018 - przemyslaw.klys at evotec.pl
    # - Added $Display Switch
    [cmdletbinding()]
    param(
        [validateset("Bytes", "KB", "MB", "GB", "TB")]
        [string]$From,
        [validateset("Bytes", "KB", "MB", "GB", "TB")]
        [string]$To,
        [Parameter(Mandatory = $true)]
        [double]$Value,
        [int]$Precision = 4,
        [switch]$Display
    )
    switch ($From) {
        "Bytes" {$value = $Value }
        "KB" {$value = $Value * 1024 }
        "MB" {$value = $Value * 1024 * 1024}
        "GB" {$value = $Value * 1024 * 1024 * 1024}
        "TB" {$value = $Value * 1024 * 1024 * 1024 * 1024}
    }

    switch ($To) {
        "Bytes" {return $value}
        "KB" {$Value = $Value / 1KB}
        "MB" {$Value = $Value / 1MB}
        "GB" {$Value = $Value / 1GB}
        "TB" {$Value = $Value / 1TB}

    }
    if ($Display) {
        return "$([Math]::Round($value,$Precision,[MidPointRounding]::AwayFromZero)) $To"
    } else {
        return [Math]::Round($value, $Precision, [MidPointRounding]::AwayFromZero)
    }

}

function Get-EventLogSize ($Servers, $LogName = "Security") {
    $results = @()
    foreach ($server in $Servers) {
        try {
            $result = get-WinEvent -ListLog $LogName -ComputerName $server | Select-Object MaximumSizeInBytes, FileSize, IsLogFul, LastAccessTime, LastWriteTime, OldestRecordNumber, RecordCount, LogName, LogType, LogIsolation, IsEnabled, LogMode
        } catch {
            Write-Color @Global:WriteParameters "[-] ", "Event Log Error", "$($_.Exception)" -Color White, Red
            continue
        }
        $CurrentFileSize = Convert-Size -Value $($result.FileSize) -From Bytes -To GB -Precision 2 -Display
        $MaximumFilesize = Convert-Size -Value $($result.MaximumSizeInBytes) -From Bytes -To GB -Precision 2 -Display
        $EventOldest = (Get-WinEvent -MaxEvents 1 -LogName $result.LogName -Oldest -ComputerName $Server).TimeCreated
        $EventNewest = (Get-WinEvent -MaxEvents 1 -LogName $result.LogName -ComputerName $Server).TimeCreated
        Add-Member -InputObject $result -MemberType NoteProperty -Name "Server" -Value $server
        Add-Member -InputObject $result -MemberType NoteProperty -Name "CurrentFileSize" -Value $CurrentFileSize
        Add-Member -InputObject $result -MemberType NoteProperty -Name "MaximumFileSize" -Value $MaximumFilesize
        Add-Member -InputObject $result -MemberType NoteProperty -Name "EventOldest" -Value $EventOldest
        Add-Member -InputObject $result -MemberType NoteProperty -Name "EventNewest" -Value $EventNewest
        $results += $result
    }
    return $results | Select-Object Server, LogName, LogType, EventOldest, EventNewest, "CurrentFileSize", "MaximumFileSize", LogMode, IsEnabled
}
function Set-EmailHead($FormattingOptions) {
    $Head = "<style>" +
    "BODY{background-color:white;font-family:$($FormattingOptions.FontFamily);font-size:$($FormattingOptions.FontSize)}" +
    "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse}" +
    "TH{border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color:`"#00297A`";font-color:white}" +
    "TD{border-width: 1px;padding-right: 2px;padding-left: 2px;padding-top: 0px;padding-bottom: 0px;border-style: solid;border-color: black;background-color:white}" +
    "H2{font-family:$($FormattingOptions.FontHeadingFamily);font-size:$($FormattingOptions.FontHeadingSize)}" +
    "P{font-family:$($FormattingOptions.FontFamily);font-size:$($FormattingOptions.FontSize)}" +
    "</style>"
    return $Head
}
function Set-EmailBody($TableData, $TableWelcomeMessage) {
    $body = "<p><i>$TableWelcomeMessage</i>"
    if ($($TableData | Measure-Object).Count -gt 0) {
        $body += $TableData | ConvertTo-Html | Out-String
        $body = $body -replace " Added", "<font color=`"green`"><b> Added</b></font>"
        $body = $body -replace " Removed", "<font color=`"red`"><b> Removed</b></font>"
        $body = $body -replace " Deleted", "<font color=`"red`"><b> Deleted</b></font>"
        $body = $body -replace " Changed", "<font color=`"blue`"><b> Changed</b></font>"
        $body = $body -replace " Change", "<font color=`"blue`"><b> Change</b></font>"
        $body = $body -replace " Disabled", "<font color=`"red`"><b> Disabled</b></font>"
        $body = $body -replace " Enabled", "<font color=`"green`"><b> Enabled</b></font>"
        $body = $body -replace " Locked out", "<font color=`"red`"><b> Locked out</b></font>"
        $body = $body -replace " Lockouts", "<font color=`"red`"><b> Lockouts</b></font>"
        $body = $body -replace " Unlocked", "<font color=`"green`"><b> Unlocked</b></font>"
        $body = $body -replace " Reset", "<font color=`"blue`"><b> Reset</b></font>"
        $body += "</p>"
    } else {
        $body += "<br><i>No changes happend during that period.</i></p>"
    }
    return $body
}
function Set-EmailReportBrading($FormattingOptions) {
    $Report = "<a style=`"text-decoration:none`" href=`"$($FormattingOptions.CompanyBranding.Link)`" class=`"clink logo-container`">" +
    #"<img width=171 height=15 src=`"$($FormattingOptions.CompanyLogo)`" border=`"0`" class=`"company-logo`" alt=`"company-logo`">" +
    "<img width=<fix> height=<fix> src=`"$($FormattingOptions.CompanyBranding.Logo)`" border=`"0`" class=`"company-logo`" alt=`"company-logo`">" +
    "</a>"
    if ($FormattingOptions.CompanyBranding.Width -ne "") {
        $report = $report -replace "width=<fix>", "width=$($FormattingOptions.CompanyBranding.Width)"
    } else {
        $report = $report -replace "width=<fix>", ""
    }
    if ($FormattingOptions.CompanyBranding.Height -ne "") {
        $report = $report -replace "height=<fix>", "height=$($FormattingOptions.CompanyBranding.Height)"
    } else {
        $report = $report -replace "height=<fix>", ""
    }
    return $Report
}
function Set-EmailReportDetails($FormattingOptions, $Dates) {
    $DateReport = get-date
    # HTML Report settings
    $Report = "<p style=`"background-color:white;font-family:$($FormattingOptions.FontFamily);font-size:$($FormattingOptions.FontSize)`">" +
    "<strong>Report Time:</strong> $DateReport <br>" +
    "<strong>Report Period:</strong> $($Dates.DateFrom) to $($Dates.DateTo) <br>" +
    "<strong>Account Executing Report :</strong> $env:userdomain\$($env:username.toupper()) on $($env:ComputerName.toUpper())" +
    "</p>"
    return $Report
}
function Start-Report([hashtable] $Dates, [hashtable] $EmailParameters, [hashtable] $ReportOptions, [hashtable] $FormattingOptions, $Servers) {
    # Declare variables
    $EventLogTable = @()
    $GroupsEventsTable = @()
    $UsersEventsTable = @()
    $UsersEventsStatusesTable = @()
    $UsersLockoutsTable = @()
    $LogonEvents = @()
    $RebootEventsTable = @()
    $TableGroupPolicyChanges = @()
    $TableEventLogClearedLogs = @()
    $ServersTable = @()

    # Prepare email body
    $EmailBody = Set-EmailHead  -FormattingOptions $FormattingOptions
    $EmailBody += Set-EmailReportBrading -FormattingOptions $FormattingOptions
    $EmailBody += Set-EmailReportDetails -FormattingOptions $FormattingOptions -Dates $Dates

    # Load all events if required
    if ($ReportOptions.IncludeDomainControllers -eq $true) {
        foreach ($server in $servers) {
            if ($server.OperatingSystem -like "*2003*" -or $server.OperatingSystem -like "*2000*") {
                #Add-Member -InputObject $server -MemberType NoteProperty -Name "Supported" -Value "No"
                $server.Supported = "No"
            } else {
                #Add-Member -InputObject $server -MemberType NoteProperty -Name "Supported" -Value "Yes"
                $server.Supported = "Yes"
            }
        }
        $ServersTable = $Servers
    }
    $Servers = $Servers | Where-Object { $_.OperatingSystem -notlike "*2003*" -and $_.OperatingSystem -notlike "*2000*" }
    $Servers = $Servers.Hostname

    If ($ReportOptions.IncludeClearedLogs -eq $true) {
        Write-Color @Global:WriteParameters "[i] Running ", "Who Cleared Logs Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
        $TableEventLogClearedLogs = Get-EventLogClearedLogs -Servers $Servers -Dates $Dates
        Write-Color @Global:WriteParameters "[i] Ending ", "Who Cleared Logs Report", " for dates from: ", "$($Dates.DateFrom)", " to: ", "$($Dates.DateTo)", "." -Color White, Green, White, Green, White, Green, White
    }
    If ($ReportOptions.IncludeEventLogSize.Use -eq $true) {
        foreach ($LogName in $ReportOptions.IncludeEventLogSize.Logs) {
            Write-Color @Global:WriteParameters "[i] Running ", "Event Log Size Report", " for event log ", "$LogName" -Color White, Green, White, Yellow
            $EventLogTable += Get-EventLogSize -Servers $Servers -LogName $LogName
            Write-Color @Global:WriteParameters "[i] Ending ", "Event Log Size Report for event log ", "$LogName" -Color White, White, Yellow
        }
        if ($ReportOptions.IncludeEventLogSize.SortBy -ne "") { $EventLogTable = $EventLogTable | Sort-Object $ReportOptions.IncludeEventLogSize.SortBy }
    }
    if ($ReportOptions.IncludeGroupEvents -eq $true) {
        $GroupsEventsTable = Get-GroupMembershipChanges -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    if ($ReportOptions.IncludeUserEvents -eq $true) {
        $UsersEventsTable = Get-UserChanges -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    if ($ReportOptions.IncludeUserStatuses -eq $true) {
        $UsersEventsStatusesTable = Get-UserStatuses -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    If ($ReportOptions.IncludeUserLockouts -eq $true) {
        $UsersLockoutsTable = Get-UserLockouts -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    if ($ReportOptions.IncludeLogonEvents -eq $true) {
        $LogonEvents = Get-LogonEvents -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    if ($ReportOptions.IncludeDomainControllersReboots -eq $true) {
        $RebootEventsTable = Get-RebootEvents -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    if ($ReportOptions.IncludeGroupPolicyChanges -eq $true) {
        $TableGroupPolicyChanges = Get-GroupPolicyChanges -Servers $Servers -Dates $Dates -ReportOptions $ReportOptions
    }
    # prepare body with HTML
    if ($ReportOptions.AsHTML) {
        if ($ReportOptions.IncludeDomainControllers -eq $true) {
            $EmailBody += Set-Emailbody -TableData $ServersTable -TableWelcomeMessage "Following servers have been processed for events"
        }
        If ($ReportOptions.IncludeClearedLogs -eq $true) {
            $EmailBody += Set-Emailbody -TableData $TableEventLogClearedLogs -TableWelcomeMessage "Following events regarding cleaning logs have occured"
        }
        If ($ReportOptions.IncludeEventLogSize.Use -eq $true) {
            $EmailBody += Set-EmailBody -TableData $EventLogTable -TableWelcomeMessage "Following event log sizes were reported"
        }
        if ($ReportOptions.IncludeGroupEvents -eq $true) {
            $EmailBody += Set-EmailBody -TableData $GroupsEventsTable -TableWelcomeMessage "The membership of those groups below has changed"
        }
        if ($ReportOptions.IncludeUserEvents -eq $true) {
            $EmailBody += Set-EmailBody -TableData $UsersEventsTable -TableWelcomeMessage "Following user changes happend"
        }
        if ($ReportOptions.IncludeUserStatuses -eq $true) {
            $EmailBody += Set-EmailBody -TableData $UsersEventsStatusesTable -TableWelcomeMessage "Following user status happend"
        }
        If ($ReportOptions.IncludeUserLockouts -eq $true) {
            $EmailBody += Set-EmailBody -TableData $UsersLockoutsTable -TableWelcomeMessage "Following user lockouts happend"
        }
        if ($ReportOptions.IncludeLogonEvents -eq $true) {
            $EmailBody += Set-EmailBody -TableData $LogonEvents -TableWelcomeMessage "Following logon events happend"
        }
        if ($ReportOptions.IncludeDomainControllersReboots -eq $true) {
            $EmailBody += Set-EmailBody -TableData $RebootEventsTable -TableWelcomeMessage "Following reboot related events happened"
        }
        if ($ReportOptions.IncludeGroupPolicyChanges -eq $true) {
            $EmailBody += Set-EmailBody -TableData $TableGroupPolicyChanges -TableWelcomeMessage "Following group policy changes happend"
        }
    }
    $Reports = @()
    If ($ReportOptions.AsExcel) {
        $ReportFilePathXLSX = Set-ReportFileName -ReportOptions $ReportOptions -ReportExtension "xlsx"
        Export-ReportToXLSX -Report $ReportOptions.IncludeDomainControllers -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Processed Servers" -ReportTable $ServersTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeClearedLogs -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Clear Log Events" -ReportTable $TableEventLogClearedLogs
        Export-ReportToXLSX -Report $ReportOptions.IncludeEventLogSize.Use -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Event log sizes" -ReportTable $EventLogTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeGroupEvents -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Group Membership Changes"  -ReportTable $GroupsEventsTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeUserEvents -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName  "User Changes" -ReportTable $UsersEventsTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeUserStatuses -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName  "User Status Changes" -ReportTable $UsersEventsStatusesTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeUserLockouts -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "User Lockouts" -ReportTable $UsersLockoutsTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeLogonEvents -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "User Logon Events" -ReportTable $LogonEvents
        Export-ReportToXLSX -Report $ReportOptions.IncludeDomainControllersReboots -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Troubleshooting Reboots" -ReportTable $RebootEventsTable
        Export-ReportToXLSX -Report $ReportOptions.IncludeGroupPolicyChanges -ReportOptions $ReportOptions -ReportFilePath $ReportFilePathXLSX -ReportName "Group Policy Changes" -ReportTable $TableGroupPolicyChanges
        $Reports += $ReportFilePathXLSX
    }
    If ($ReportOptions.AsCSV) {
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeDomainControllers -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportServers" -ReportTable $ServersTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeClearedLogs -ReportOptions $ReportOptions -Extension "csv" -ReportName "IncludeClearedLogs" -ReportTable $TableEventLogClearedLogs
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeEventLogSize.Use -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportEventLogSize" -ReportTable $EventLogTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeGroupEvents -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportGroupEvents" -ReportTable $GroupsEventsTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeUserEvents -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportUserEvents" -ReportTable $UsersEventsTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeUserStatuses -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportUserStatuses" -ReportTable $UsersEventsStatusesTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeUserLockouts -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportUserLockouts" -ReportTable $UsersLockoutsTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeLogonEvents -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportUserLogons" -ReportTable $LogonEvents
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeDomainControllersReboots -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportReboots" -ReportTable $RebootEventsTable
        $Reports += Export-ReportToCSV -Report $ReportOptions.IncludeGroupPolicyChanges -ReportOptions $ReportOptions -Extension "csv" -ReportName "ReportGroupPolicyChanges" -ReportTable $TableGroupPolicyChanges
    }
    $Reports = $Reports |  Where-Object { $_ } | Sort-Object -Uniq

    # Sending email - finalizing package
    if ($ReportOptions.SendMail -eq $true) {
        $TemporarySubject = $EmailParameters.EmailSubject -replace "<<DateFrom>>", "$($Dates.DateFrom)" -replace "<<DateTo>>", "$($Dates.DateTo)"
        Write-Color @Global:WriteParameters "[i] Sending email with reports..." -Color White, Green -NoNewLine
        $SendMail = Send-Email -EmailParameters $EmailParameters -Body $EmailBody -Attachment $Reports -Subject $TemporarySubject
        if ($SendMail.Status -eq $True) {
            Write-Color "Success!" -Color Green
        } else {
            Write-Color "Not working!" -Color Red
            Write-Color @Global:WriteParameters "[i] Error: ", "$($SendMail.Error)" -Color White, Red
        }
    } else {
        Write-Color @Global:WriteParameters "[i] Skipping sending email with reports...", "as per configuration!" -Color White, Green
    }

    Remove-ReportsFiles -KeepReports $ReportOptions.KeepReports -AsExcel $ReportOptions.AsExcel -AsCSV $ReportOptions.AsCSV -ReportFiles $Reports
}

function Remove-ReportsFiles ($KeepReports, $AsExcel, $AsCSV, $ReportFiles) {
    if ($KeepReports -eq $false -and ($AsExcel -eq $true -or $AsCSV -eq $true)) {
        foreach ($report in $ReportFiles) {
            if (Test-Path $report) {
                Write-Color @Global:WriteParameters "[i] ", "Removing file ", " $report " -Color White, White, Yellow, White, Red
                try {
                    Remove-Item $report -ErrorAction Stop
                } catch {
                    #Write-Color @Global:WriteParameters "[i] Error reported when removing file ", "$Report", ". File will be skipped..." -Color White, Red, White
                    Write-Color @Global:WriteParameters "[i] Error: ", "$($_.Exception.Message)" -Color White, Red
                }
            }
        }
    }
}
function Export-ReportToXLSX ($Report, $ReportOptions, $ReportFilePath, $ReportName, $ReportTable) {
    if ($Report -eq $true) {
        $ReportTable | Export-Excel -Path $ReportFilePath -WorkSheetname $ReportName -AutoSize -FreezeTopRow -AutoFilter
        return
    } else {
        return
    }
}
function Export-ReportToCSV ($Report, $ReportOptions, $Extension, $ReportName, $ReportTable) {
    if ($Report -eq $true) {
        $ReportFilePath = Set-ReportFileName -ReportOptions $ReportOptions -ReportExtension $Extension -ReportName $ReportName
        $ReportTable | Export-Csv -Encoding Unicode -Path $ReportFilePath
        return $ReportFilePath
    } else {
        return ""
    }
}
function Get-Servers($ReportOptions) {
    $Servers = @()
    if ($ReportOptions.OnlyPrimaryDC -eq $true) { $ServerOptions = @{ Server = (get-addomain).pdcemulator; ErrorAction = "Stop" }
    } else { $ServerOptions = @{ Filter = "*"; ErrorAction = "Stop" }
    }
    try {
        $Servers = Get-ADDomainController @ServerOptions | Select-Object HostName, Ipv4Address, IsGlobalCatalog, IsReadOnly, OperatingSystem, Site, Enabled, Supported #, EventsFound
    } catch {
        if ($_.Exception -match "Unable to find a default server with Active Directory Web Services running.") {
            Write-Color @Global:WriteParameters "[-] ", "Active Directory", " not found. Please run this script with access to ", "Domain Controllers." -Color White, Red, White, Red
        }
        Write-Color @Global:WriteParameters "[i] Error: ", "$($_.Exception.Message)" -Color White, Red
    }
    return $Servers
}
function Start-Reporting ($EmailParameters, $ReportOptions, $FormattingOptions, $ScriptParameters) {
    $Test1 = Test-Key -ConfigurationTable $ScriptParameters -ConfigurationSection "" -ConfigurationKey "ShowTime" -DisplayProgress $false
    $Test2 = Test-Key -ConfigurationTable $ScriptParameters -ConfigurationSection "" -ConfigurationKey "LogFile" -DisplayProgress $false
    $Test3 = Test-Key -ConfigurationTable $ScriptParameters -ConfigurationSection "" -ConfigurationKey "TimeFormat" -DisplayProgress $false
    if ($Test1 -and $Test2 -and $Test3) { $global:WriteParameters = $ScriptParameters }
    Test-Prerequisite $EmailParameters $ReportOptions $FormattingOptions
    if ($ReportOptions.JustTestPrerequisite -ne $null -and $ReportOptions.JustTestPrerequisite -eq $true) {
        Exit
    }
    $Servers = Get-Servers $ReportOptions
    # Report Per Hour
    if ($ReportOptions.ReportPastHour -eq $true) {
        $DatesPastHour = Find-DatesPastHour

        if ($DatesPastHour -ne $null) {
            Start-Report -Dates $DatesPastHour $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCurrentHour -eq $true) {
        $DatesCurrentHour = Find-DatesCurrentHour
        if ($DatesCurrentHour -ne $null) {
            Start-Report -Dates $DatesCurrentHour $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    # Report Per Day
    if ($ReportOptions.ReportPastDay -eq $true) {
        $DatesDayPrevious = Find-DatesDayPrevious

        if ($DatesDayPrevious -ne $null) {
            Start-Report -Dates $DatesDayPrevious $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCurrentDay -eq $true) {
        $DatesDayToday = Find-DatesDayToday
        if ($DatesDayToday -ne $null) {
            Start-Report -Dates $DatesDayToday $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    # Report Per Week
    if ($ReportOptions.ReportOnDay.Use -eq $true) {
        foreach ($Day in $ReportOptions.ReportOnDay.Days) {
            $DatesReportOnDay = Find-DatesPastWeek $Day
            if ($DatesReportOnDay -ne $null) {
                Start-Report -Dates $DatesReportOnDay $EmailParameters $ReportOptions $FormattingOptions $Servers
            }
        }
    }
    # Report Per Month
    if ($ReportOptions.ReportPastMonth.Use -eq $true -or $ReportOptions.ReportPastMonth.Force -eq $true) {
        $DatesMonthPrevious = Find-DatesMonthPast -Force $ReportOptions.ReportPastMonth.Force     # Find-DatesMonthPast runs only on 1st of the month unless -Force is used
        if ($DatesMonthPrevious -ne $null) {
            Start-Report -Dates $DatesMonthPrevious -EmailParameters $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCurrentMonth -eq $true) {

        $DatesMonthCurrent = Find-DatesMonthCurrent
        if ($DatesMonthCurrent -ne $null) {
            Start-Report -Dates $DatesMonthCurrent $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    # Report Per Quarter
    if ($ReportOptions.ReportPastQuarter.Use -eq $true -or $ReportOptions.ReportPastQuarter.Force -eq $true) {
        $DatesQuarterLast = Find-DatesQuarterLast -Force $ReportOptions.ReportPastQuarter.Force  # Find-DatesMonthPast runs only on 1st of the quarter unless -Force is used
        if ($DatesQuarterLast -ne $null) {
            Start-Report -Dates $DatesQuarterLast $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCurrentQuarter -eq $true) {
        $DatesQuarterCurrent = Find-DatesQuarterCurrent
        if ($DatesQuarterCurrent -ne $null) {
            Start-Report -Dates $DatesQuarterCurrent $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    # Report Custom
    if ($ReportOptions.ReportCurrentDayMinusDayX.Use -eq $true) {
        $DatesCurrentDayMinusDayX = Find-DatesCurrentDayMinusDayX $ReportOptions.ReportCurrentDayMinusDayX.Days
        if ($DatesCurrentDayMinusDayX -ne $null) {
            Start-Report -Dates $DatesCurrentDayMinusDayX $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCurrentDayMinuxDaysX.Use -eq $true) {
        $DatesCurrentDayMinusDaysX = Find-DatesCurrentDayMinuxDaysX $ReportOptions.ReportCurrentDayMinuxDaysX.Days
        if ($DatesCurrentDayMinusDaysX -ne $null) {
            Start-Report -Dates $DatesCurrentDayMinusDaysX $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }
    if ($ReportOptions.ReportCustomDate.Use -eq $true) {
        $DatesCustom = @{
            DateFrom = $ReportOptions.ReportCustomDate.DateFrom
            DateTo = $ReportOptions.ReportCustomDate.DateTo
        }
        if ($DatesCustom -ne $null) {
            Start-Report -Dates $DatesCustom $EmailParameters $ReportOptions $FormattingOptions $Servers
        }
    }

}

Posty powiązane