Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Modifying Powershell to get the Security logs for user Domain\Administrator from all AD domain ?

Posted on 2016-09-01
5
234 Views
Last Modified: 2016-09-12
Hi All,

Can anyone here please assist me in modifying the powershell script below to go through the Windows Security Events to check where the user DOMAIN\Administrator is logging in or used in the entire domain ? In particular event ID 4624 if it can be specified.

$date = Get-Date

$comp = Get-ADDomain | Get-ADDomainController  #domain controlers
write " "
Write "Start"
Write "______________________"

ForEach  ($obj in $comp) {
    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {
	    $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where { ($_.Message -like "*DOMAIN\Administrator*")} | select Machinename,TimeCreated,ID,Message 
	    add-content -path C:\TEMP\list_of_admin-Events.txt -value $Event #Output to a file
	    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    }
    else { write "$obj – Offline " }
}

Open in new window


The problem with the script above is that I cannot get it to run in my Powershell ISE running as DOMAIN\Administrator account itself.

This is the error I'm getting:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window


Thanks.
0
Comment
  • 3
  • 2
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 41781520
You need to gain the Administrator token to satisfy User Account Control and gain access to the security log. This is in addition to whatever account you might be running as (including the account named Administrator).

From PowerShell (assuming the prompt is not elevated):
Start-Process powershell_ise.exe -Verb runas

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41781535
OK, so how do I execute the script on that one liner script ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 41781542
You can't. You need to accept the elevation prompt if that's what you've configured UAC to do.

This applies even if you set-up a short-cut with the command in and tick the run as administrator box (that is, there will still be a prompt).

Alternatively set it up as a scheduled task to execute with highest privileges. Except now you have to set-up the task which requires the same admin token. Good stuff, huh?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41788979
OK, somehow I've managed to found this script, which sift through the Event logs for the Terminal Server:

Get-WinEvent -ComputerName PRODTS03-VM -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | ft -AutoSize

Open in new window


So I wonder if it is can be configured / modified to filter the Security event ID 4624 only for the user DOMAIN\Administrator like below example events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          08/09/2016 12:45:25 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      PRODDC01-VM.domain.com
Description:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		MyDomain\Office.Manager
	Account Name:		Office.Manager
	Account Domain:		MyDomain
	Logon ID:		0xf99126a2
	Logon GUID:		{a5bf47f4-d53a-6ff9-2139-a4ceb9e5b284}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.188.5.34
	Source Port:		60358

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


I need to know the:
        Keywords: Audit Success
        Logon Type: 3
        Date: 08/09/2016 12:45:25 PM
        Security ID: Domain\Administrator
      Source Network Address: 10.188.5.199

Isthat possible to customizethe script ?
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41795264
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question