Solved

script to audit active directory administrator account

Posted on 2011-09-14
13
866 Views
Last Modified: 2013-12-04
Hi,

i need to audit my Active directory  administrator account.

i need to now if possible:

1-last logon of this account

2-i need to now when this account logon and the Source Network Address IP (information In security event) in 10 servers.

if possible the script generate a report and send it by mail.

thanks
0
Comment
Question by:cawasaki
  • 6
  • 3
13 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535495
well for starters what version of server are you running?
i
0
 

Author Comment

by:cawasaki
ID: 36535508
Windows 2008 SP2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535530
Okay and do you have auditing enabled?
0
 

Author Comment

by:cawasaki
ID: 36535554
security event yes by default
0
 

Author Comment

by:cawasaki
ID: 36553829
up
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:cawasaki
ID: 36573359
any help in this question plz?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36577874
Ok, is it possible you have a windows 7 client we can run the event log scanner on? (32bit)  It will need access to the server logs you are wanting to monitor. I am trying to correctly read the security log, but for some reason it keeps reading the application log.....no guarantees, but I am trying
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36577929
Put your computers ip's or name's in the array(computer1, computer2 etc...)
Also replace "domain\\userName" with your domain and username your looking for, you must have two \\'s for it to work. Run this script with an account that is listed as a local administrator for each machine, doesn't have to be the domain admin, using a common admin account is good enough.
I could probably get the script to output to CSV, but that's about all I know how to do.
If you want to narrow down the results further, you can add a few more Boolean's to the query... like failed events only:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' and EventType = 5"
That would find only failure events.
Unfortunately you don't get the IP from this particular query, depending on OS (XP/Vista?2003/2008/win7) you need the whole log, or at least more of the events. I'll write something up tomorrow that will be more complete.
-rich
On Error Resume Next
arrComputers = Array("computer1, computer2, computer3")
For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")   
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' ",,48)
   For Each objItem In colItems
      WScript.Echo "Category: " & objItem.Category
      WScript.Echo "CategoryString: " & objItem.CategoryString
      WScript.Echo "ComputerName: " & objItem.ComputerName
      strData = Join(objItem.Data, ",")
         WScript.Echo "Data: " & strData
      WScript.Echo "EventCode: " & objItem.EventCode
      WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
      WScript.Echo "EventType: " & objItem.EventType
      WScript.Echo "Message: " & objItem.Message
      WScript.Echo "SourceName: " & objItem.SourceName
      WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated)
      WScript.Echo "Type: " & objItem.Type
      WScript.Echo "User: " & objItem.User
      WScript.Echo
   Next
Next


Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm: 
	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Open in new window

0
 

Author Comment

by:cawasaki
ID: 36593155
hi,

i will test andreport the result.

thanks
0
 

Author Closing Comment

by:cawasaki
ID: 36936237
thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now