Solved

script to audit active directory administrator account

Posted on 2011-09-14
13
869 Views
Last Modified: 2013-12-04
Hi,

i need to audit my Active directory  administrator account.

i need to now if possible:

1-last logon of this account

2-i need to now when this account logon and the Source Network Address IP (information In security event) in 10 servers.

if possible the script generate a report and send it by mail.

thanks
0
Comment
Question by:cawasaki
  • 6
  • 3
13 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535495
well for starters what version of server are you running?
i
0
 

Author Comment

by:cawasaki
ID: 36535508
Windows 2008 SP2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535530
Okay and do you have auditing enabled?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:cawasaki
ID: 36535554
security event yes by default
0
 

Author Comment

by:cawasaki
ID: 36553829
up
0
 

Author Comment

by:cawasaki
ID: 36573359
any help in this question plz?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36577874
Ok, is it possible you have a windows 7 client we can run the event log scanner on? (32bit)  It will need access to the server logs you are wanting to monitor. I am trying to correctly read the security log, but for some reason it keeps reading the application log.....no guarantees, but I am trying
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36577929
Put your computers ip's or name's in the array(computer1, computer2 etc...)
Also replace "domain\\userName" with your domain and username your looking for, you must have two \\'s for it to work. Run this script with an account that is listed as a local administrator for each machine, doesn't have to be the domain admin, using a common admin account is good enough.
I could probably get the script to output to CSV, but that's about all I know how to do.
If you want to narrow down the results further, you can add a few more Boolean's to the query... like failed events only:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' and EventType = 5"
That would find only failure events.
Unfortunately you don't get the IP from this particular query, depending on OS (XP/Vista?2003/2008/win7) you need the whole log, or at least more of the events. I'll write something up tomorrow that will be more complete.
-rich
On Error Resume Next
arrComputers = Array("computer1, computer2, computer3")
For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")   
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' ",,48)
   For Each objItem In colItems
      WScript.Echo "Category: " & objItem.Category
      WScript.Echo "CategoryString: " & objItem.CategoryString
      WScript.Echo "ComputerName: " & objItem.ComputerName
      strData = Join(objItem.Data, ",")
         WScript.Echo "Data: " & strData
      WScript.Echo "EventCode: " & objItem.EventCode
      WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
      WScript.Echo "EventType: " & objItem.EventType
      WScript.Echo "Message: " & objItem.Message
      WScript.Echo "SourceName: " & objItem.SourceName
      WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated)
      WScript.Echo "Type: " & objItem.Type
      WScript.Echo "User: " & objItem.User
      WScript.Echo
   Next
Next


Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm: 
	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Open in new window

0
 

Author Comment

by:cawasaki
ID: 36593155
hi,

i will test andreport the result.

thanks
0
 

Author Closing Comment

by:cawasaki
ID: 36936237
thanks
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question