← Reference library

Windows reference

PowerShell-first diagnostics for Windows Server and AD.

Find failed logins

Problem · Investigate authentication failures on a server.

Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} -MaxEvents 20
What the output means

Event ID 4625 = failed logon; the message shows account, source and failure reason.

Common traps

4625 is failure, 4624 is success. Audit policy must be enabled to capture them.

Check service failures

Problem · A Windows service won't start or keeps stopping.

Get-Service <name>
Get-WinEvent -LogName System -MaxEvents 50 | ? {$_.Id -in 7000,7031,7034}
sc.exe qc <name>
What the output means

System log SCM events (7000/7031/7034) explain start failures and crashes.

Common traps

A wrong service-account password or missing dependency is a common silent cause.

Inspect event logs

Problem · You need relevant events, not the whole firehose.

Get-WinEvent -LogName Application -MaxEvents 50
Get-WinEvent -FilterHashtable @{LogName='System';Level=2}
What the output means

Level=2 is Error. Filter by log, level, and ID rather than scrolling.

Common traps

Application/System/Security/Setup are separate streams — check the right one.

Test DNS and AD connectivity

Problem · A domain-joined box is misbehaving.

Resolve-DnsName <name>
nltest /dsgetdc:<domain>
w32tm /query /status
Test-ComputerSecureChannel
What the output means

DNS SRV records locate DCs; time must be in sync; the secure channel must be healthy.

Common traps

No DNS = no AD. Clock skew > 5 min breaks Kerberos. 'trust relationship failed' = secure channel.

Track: Windows Server

Check GPO application

Problem · A policy isn't taking effect on a machine.

gpresult /r
gpupdate /force
gpresult /h report.html
What the output means

gpresult shows applied/denied GPOs and why (scope, security filtering, WMI).

Common traps

OUs (not security groups) are GPO targets; processing order is L-S-D-OU.

Basic PowerShell diagnostics

Problem · Quick health checks on a Windows box.

Get-Process | Sort CPU -Desc | Select -First 10
Get-CimInstance Win32_LogicalDisk | Select DeviceID,FreeSpace,Size
Test-NetConnection <host> -Port 443
What the output means

Objects, not text — sort/select on real properties; Test-NetConnection checks a port, not just ping.

Common traps

Don't pipe Format-* into Export-Csv — formatting breaks the object pipeline.