?
Solved

Modifying Powershell to get the Security logs for user Domain\Administrator from all AD domain ?

Posted on 2016-09-01
5
Medium Priority
?
367 Views
Last Modified: 2016-09-12
Hi All,

Can anyone here please assist me in modifying the powershell script below to go through the Windows Security Events to check where the user DOMAIN\Administrator is logging in or used in the entire domain ? In particular event ID 4624 if it can be specified.

$date = Get-Date

$comp = Get-ADDomain | Get-ADDomainController  #domain controlers
write " "
Write "Start"
Write "______________________"

ForEach  ($obj in $comp) {
    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {
	    $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where { ($_.Message -like "*DOMAIN\Administrator*")} | select Machinename,TimeCreated,ID,Message 
	    add-content -path C:\TEMP\list_of_admin-Events.txt -value $Event #Output to a file
	    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    }
    else { write "$obj – Offline " }
}

Open in new window


The problem with the script above is that I cannot get it to run in my Powershell ISE running as DOMAIN\Administrator account itself.

This is the error I'm getting:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window


Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 41781520
You need to gain the Administrator token to satisfy User Account Control and gain access to the security log. This is in addition to whatever account you might be running as (including the account named Administrator).

From PowerShell (assuming the prompt is not elevated):
Start-Process powershell_ise.exe -Verb runas

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41781535
OK, so how do I execute the script on that one liner script ?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 41781542
You can't. You need to accept the elevation prompt if that's what you've configured UAC to do.

This applies even if you set-up a short-cut with the command in and tick the run as administrator box (that is, there will still be a prompt).

Alternatively set it up as a scheduled task to execute with highest privileges. Except now you have to set-up the task which requires the same admin token. Good stuff, huh?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41788979
OK, somehow I've managed to found this script, which sift through the Event logs for the Terminal Server:

Get-WinEvent -ComputerName PRODTS03-VM -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | ft -AutoSize

Open in new window


So I wonder if it is can be configured / modified to filter the Security event ID 4624 only for the user DOMAIN\Administrator like below example events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          08/09/2016 12:45:25 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      PRODDC01-VM.domain.com
Description:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		MyDomain\Office.Manager
	Account Name:		Office.Manager
	Account Domain:		MyDomain
	Logon ID:		0xf99126a2
	Logon GUID:		{a5bf47f4-d53a-6ff9-2139-a4ceb9e5b284}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.188.5.34
	Source Port:		60358

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


I need to know the:
        Keywords: Audit Success
        Logon Type: 3
        Date: 08/09/2016 12:45:25 PM
        Security ID: Domain\Administrator
      Source Network Address: 10.188.5.199

Isthat possible to customizethe script ?
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41795264
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question