Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers

People,

How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Thanks.
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin VoglarIT ProCommented:
Hi.

I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp.dnshostname) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
Benjamin VoglarIT ProCommented:
Yes shure.

Heare is your script:

just enable powershell remoting on DC's.

paste the code to Powershell ISE and run it:

$datum = Get-Date

$comp = "dc1","dc2","dc3"  #domain controlers
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "*Administrator*")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam #Output to a file
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.