?
Solved

Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers

Posted on 2016-09-01
4
Medium Priority
?
195 Views
Last Modified: 2016-09-01
People,

How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41779413
Hi.

I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp.dnshostname) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41779422
Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 2000 total points
ID: 41779458
Yes shure.

Heare is your script:

just enable powershell remoting on DC's.

paste the code to Powershell ISE and run it:

$datum = Get-Date

$comp = "dc1","dc2","dc3"  #domain controlers
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "*Administrator*")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam #Output to a file
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41780798
Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question