Solved

script to audit active directory administrator account

Posted on 2011-09-14
13
871 Views
Last Modified: 2013-12-04
Hi,

i need to audit my Active directory  administrator account.

i need to now if possible:

1-last logon of this account

2-i need to now when this account logon and the Source Network Address IP (information In security event) in 10 servers.

if possible the script generate a report and send it by mail.

thanks
0
Comment
Question by:cawasaki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
13 Comments
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535495
well for starters what version of server are you running?
i
0
 

Author Comment

by:cawasaki
ID: 36535508
Windows 2008 SP2
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36535530
Okay and do you have auditing enabled?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:cawasaki
ID: 36535554
security event yes by default
0
 

Author Comment

by:cawasaki
ID: 36553829
up
0
 

Author Comment

by:cawasaki
ID: 36573359
any help in this question plz?
0
 
LVL 13

Expert Comment

by:5g6tdcv4
ID: 36577874
Ok, is it possible you have a windows 7 client we can run the event log scanner on? (32bit)  It will need access to the server logs you are wanting to monitor. I am trying to correctly read the security log, but for some reason it keeps reading the application log.....no guarantees, but I am trying
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36577929
Put your computers ip's or name's in the array(computer1, computer2 etc...)
Also replace "domain\\userName" with your domain and username your looking for, you must have two \\'s for it to work. Run this script with an account that is listed as a local administrator for each machine, doesn't have to be the domain admin, using a common admin account is good enough.
I could probably get the script to output to CSV, but that's about all I know how to do.
If you want to narrow down the results further, you can add a few more Boolean's to the query... like failed events only:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' and EventType = 5"
That would find only failure events.
Unfortunately you don't get the IP from this particular query, depending on OS (XP/Vista?2003/2008/win7) you need the whole log, or at least more of the events. I'll write something up tomorrow that will be more complete.
-rich
On Error Resume Next
arrComputers = Array("computer1, computer2, computer3")
For Each strComputer In arrComputers

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")   
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND User =  'domain\\userName' ",,48)
   For Each objItem In colItems
      WScript.Echo "Category: " & objItem.Category
      WScript.Echo "CategoryString: " & objItem.CategoryString
      WScript.Echo "ComputerName: " & objItem.ComputerName
      strData = Join(objItem.Data, ",")
         WScript.Echo "Data: " & strData
      WScript.Echo "EventCode: " & objItem.EventCode
      WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
      WScript.Echo "EventType: " & objItem.EventType
      WScript.Echo "Message: " & objItem.Message
      WScript.Echo "SourceName: " & objItem.SourceName
      WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated)
      WScript.Echo "Type: " & objItem.Type
      WScript.Echo "User: " & objItem.User
      WScript.Echo
   Next
Next


Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm: 
	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Open in new window

0
 

Author Comment

by:cawasaki
ID: 36593155
hi,

i will test andreport the result.

thanks
0
 

Author Closing Comment

by:cawasaki
ID: 36936237
thanks
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question