?
Solved

Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers

Posted on 2016-09-01
4
Medium Priority
?
172 Views
Last Modified: 2016-09-01
People,

How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Benjamin Voglar
ID: 41779413
Hi.

I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp.dnshostname) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41779422
Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
0
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 2000 total points
ID: 41779458
Yes shure.

Heare is your script:

just enable powershell remoting on DC's.

paste the code to Powershell ISE and run it:

$datum = Get-Date

$comp = "dc1","dc2","dc3"  #domain controlers
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "*Administrator*")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam #Output to a file
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41780798
Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question