Solved

script to audit active directory administrator account

Posted on 2011-09-14
13
868 Views
Last Modified: 2013-12-04
Hi,

i need to audit my Active directory  administrator account.

i need to now if possible:

1-last logon of this account

2-i need to now when this account logon and the Source Network Address IP (information In security event) in 10 servers.

if possible the script generate a report and send it by mail.

thanks
0
Comment
Question by:cawasaki
  • 6
  • 3
13 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535495
well for starters what version of server are you running?
i
0
 

Author Comment

by:cawasaki
ID: 36535508
Windows 2008 SP2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535530
Okay and do you have auditing enabled?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:cawasaki
ID: 36535554
security event yes by default
0
 

Author Comment

by:cawasaki
ID: 36553829
up
0
 

Author Comment

by:cawasaki
ID: 36573359
any help in this question plz?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36577874
Ok, is it possible you have a windows 7 client we can run the event log scanner on? (32bit)  It will need access to the server logs you are wanting to monitor. I am trying to correctly read the security log, but for some reason it keeps reading the application log.....no guarantees, but I am trying
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36577929
Put your computers ip's or name's in the array(computer1, computer2 etc...)
Also replace "domain\\userName" with your domain and username your looking for, you must have two \\'s for it to work. Run this script with an account that is listed as a local administrator for each machine, doesn't have to be the domain admin, using a common admin account is good enough.
I could probably get the script to output to CSV, but that's about all I know how to do.
If you want to narrow down the results further, you can add a few more Boolean's to the query... like failed events only:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' and EventType = 5"
That would find only failure events.
Unfortunately you don't get the IP from this particular query, depending on OS (XP/Vista?2003/2008/win7) you need the whole log, or at least more of the events. I'll write something up tomorrow that will be more complete.
-rich
On Error Resume Next
arrComputers = Array("computer1, computer2, computer3")
For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")   
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' ",,48)
   For Each objItem In colItems
      WScript.Echo "Category: " & objItem.Category
      WScript.Echo "CategoryString: " & objItem.CategoryString
      WScript.Echo "ComputerName: " & objItem.ComputerName
      strData = Join(objItem.Data, ",")
         WScript.Echo "Data: " & strData
      WScript.Echo "EventCode: " & objItem.EventCode
      WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
      WScript.Echo "EventType: " & objItem.EventType
      WScript.Echo "Message: " & objItem.Message
      WScript.Echo "SourceName: " & objItem.SourceName
      WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated)
      WScript.Echo "Type: " & objItem.Type
      WScript.Echo "User: " & objItem.User
      WScript.Echo
   Next
Next


Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm: 
	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Open in new window

0
 

Author Comment

by:cawasaki
ID: 36593155
hi,

i will test andreport the result.

thanks
0
 

Author Closing Comment

by:cawasaki
ID: 36936237
thanks
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question