Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

script to audit active directory administrator account

Posted on 2011-09-14
13
Medium Priority
?
876 Views
Last Modified: 2013-12-04
Hi,

i need to audit my Active directory  administrator account.

i need to now if possible:

1-last logon of this account

2-i need to now when this account logon and the Source Network Address IP (information In security event) in 10 servers.

if possible the script generate a report and send it by mail.

thanks
0
Comment
Question by:cawasaki
  • 6
  • 3
10 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535495
well for starters what version of server are you running?
i
0
 

Author Comment

by:cawasaki
ID: 36535508
Windows 2008 SP2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535530
Okay and do you have auditing enabled?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:cawasaki
ID: 36535554
security event yes by default
0
 

Author Comment

by:cawasaki
ID: 36553829
up
0
 

Author Comment

by:cawasaki
ID: 36573359
any help in this question plz?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36577874
Ok, is it possible you have a windows 7 client we can run the event log scanner on? (32bit)  It will need access to the server logs you are wanting to monitor. I am trying to correctly read the security log, but for some reason it keeps reading the application log.....no guarantees, but I am trying
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 36577929
Put your computers ip's or name's in the array(computer1, computer2 etc...)
Also replace "domain\\userName" with your domain and username your looking for, you must have two \\'s for it to work. Run this script with an account that is listed as a local administrator for each machine, doesn't have to be the domain admin, using a common admin account is good enough.
I could probably get the script to output to CSV, but that's about all I know how to do.
If you want to narrow down the results further, you can add a few more Boolean's to the query... like failed events only:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' and EventType = 5"
That would find only failure events.
Unfortunately you don't get the IP from this particular query, depending on OS (XP/Vista?2003/2008/win7) you need the whole log, or at least more of the events. I'll write something up tomorrow that will be more complete.
-rich
On Error Resume Next
arrComputers = Array("computer1, computer2, computer3")
For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")   
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' ",,48)
   For Each objItem In colItems
      WScript.Echo "Category: " & objItem.Category
      WScript.Echo "CategoryString: " & objItem.CategoryString
      WScript.Echo "ComputerName: " & objItem.ComputerName
      strData = Join(objItem.Data, ",")
         WScript.Echo "Data: " & strData
      WScript.Echo "EventCode: " & objItem.EventCode
      WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
      WScript.Echo "EventType: " & objItem.EventType
      WScript.Echo "Message: " & objItem.Message
      WScript.Echo "SourceName: " & objItem.SourceName
      WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated)
      WScript.Echo "Type: " & objItem.Type
      WScript.Echo "User: " & objItem.User
      WScript.Echo
   Next
Next


Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm: 
	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Open in new window

0
 

Author Comment

by:cawasaki
ID: 36593155
hi,

i will test andreport the result.

thanks
0
 

Author Closing Comment

by:cawasaki
ID: 36936237
thanks
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question