Tracking the usage for DOMAIN\Administrator account in Security logs of Domain Controllers

People,

How can I track down which Event viewer where DOMAIN\Administrator account is being used ?

i need to perform the audit for PCI compliance and then change the password & rename this Administrator account, but so far just wanted to know where it is being actively used.

Note: I have around 60 AD sites for each different site offices & there are 6 domain controllers spread across the different Subnets.

So any help and suggestion would be greatly appreciated.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
Hi.

I wrote a Powershell script. I was looking for something else in eventviewer in our Company.

I modified it so that it is now looking for Administrator in All EventViewers in you AD.

$datum = Get-Date

$comp = Get-ADComputer -Filter *
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp.dnshostname) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "Administrator")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam 
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

Author

Commented:
Hi Benjamin,

Does that means the powershell script will looks for all event viewer in all computers in the AD domain ?

Is it possible to limit it just for the security log in all AD domain controllers only ?
Top Expert 2015
Commented:
Yes shure.

Heare is your script:

just enable powershell remoting on DC's.

paste the code to Powershell ISE and run it:

$datum = Get-Date

$comp = "dc1","dc2","dc3"  #domain controlers
write " "
Write "Start"
Write "______________________"



ForEach  ($obj in $comp) {

   

    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {


    $Seznam=Get-WinEvent -LogName "system" -ComputerName $obj | Where { ($_.Message -like "*Administrator*")} | select Machinename,TimeCreated,ID,Message 
    
    add-content -path c:\folder\list_of_admin.txt -value $Seznam #Output to a file
    
    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    
    }

    
    else { write "$obj – Not a live!" }

}

Open in new window

Author

Commented:
Thanks for the quick reply Ben,

However, when I execute the script on my Powershell ISE under DOMAIN\Administrator acount, I get:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "system" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial