Solved

Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers

Posted on 2016-09-01
4
161 Views
Last Modified: 2016-09-01
People,

How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41779413
Hi.

I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp.dnshostname) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41779422
Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41779458
Yes shure.

Heare is your script:

just enable powershell remoting on DC's.

paste the code to Powershell ISE and run it:

$datum = Get-Date

$comp = "dc1","dc2","dc3"  #domain controlers
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "*Administrator*")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam #Output to a file
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41780798
Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question