How to Enable PowerShell Logging

What are some ways I can enable PowerShell logging?

PowerShell is a sophisticated management tool that can revolutionize the way you manage Windows Server. But with the power and capabilities that PowerShell has to offer also come risks. PowerShell logging is turned off by default, but there are two easy ways to enable logging so that you can get some insight into what commands are being executed and collect information for security forensics.

Enable logging from the command line

PowerShell logging is enabled per module. In this example I’ll show you how to enable logging for Active Directory cmdlets.

  • Log on to Windows Server 2012 with local administrative privileges.
  • Open a PowerShell window using the icon on the desktop Taskbar.
  • Type Import-Module ActiveDirectory and press Enter.
  • Type (Get-Module ActiveDirectory).LogPipelineExecutionDetails = $true and press Enter. To disable logging for the Active Directory module, you would simply exchange $true for $false.

Now run an Active Directory cmdlet such as get-aduser –filter * -property *, and press Enter.

Once the cmdlet has returned a complete set of results, open Event Viewer from the Tools menu in Server Manager and expand Applications and Services Log, Microsoft, Windows, and PowerShell, then select the Operational log. You should see an event similar to that shown below, giving details of the command run, any specified parameters, and the user who executed the command.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

PowerShell Event Log entry

Enable logging in Group Policy

If you want to enable logging on more than one server, it may be more convenient to use Group Policy to push out the necessary settings. In the Group Policy Management Editor, you can find the configuration settings for PowerShell under Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows Powershell.

The Group Policy Object (GPO) setting you need is called Turn on Module Logging. You can see in the figure below that I’ve enabled logging for the core modules as suggested (Microsoft.PowerShell.* and Microsoft.WSMan.Management), and specifically for the Active Directory module. Enabling logging for the core modules gives more detail in the event log when running the get-aduser cmdlet, such as to which AD objects the command binds. Once you’ve configured the policy setting and made sure the GPO is linked to an OU, you should reboot the affected server(s).

Configuring PowerShell logging in Group Policy

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: