Solved

Modifying Powershell to get the Security logs for user Domain\Administrator from all AD domain ?

Posted on 2016-09-01
  • Powershell
  • Active Directory
  • VB Script
  • Windows Batch
  • Windows OS
  • +3
5
99 Views
Last Modified: 2016-09-12
Hi All,

Can anyone here please assist me in modifying the powershell script below to go through the Windows Security Events to check where the user DOMAIN\Administrator is logging in or used in the entire domain ? In particular event ID 4624 if it can be specified.

$date = Get-Date

$comp = Get-ADDomain | Get-ADDomainController  #domain controlers
write " "
Write "Start"
Write "______________________"

ForEach  ($obj in $comp) {
    If (Test-Connection -Count 1 -ComputerName $obj -Quiet) {
	    $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where { ($_.Message -like "*DOMAIN\Administrator*")} | select Machinename,TimeCreated,ID,Message 
	    add-content -path C:\TEMP\list_of_admin-Events.txt -value $Event #Output to a file
	    write-host "$obj – Writing to the File ...." -foregroundcolor "yellow"
    }
    else { write "$obj – Offline " }
}

Open in new window


The problem with the script above is that I cannot get it to run in my Powershell ISE running as DOMAIN\Administrator account itself.

This is the error I'm getting:

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:12 char:13
+ ...      $Event=Get-WinEvent -LogName "Security" -ComputerName $obj | Where ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
    + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

Open in new window


Thanks.
0
Comment
  • 3
  • 2
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility
You need to gain the Administrator token to satisfy User Account Control and gain access to the security log. This is in addition to whatever account you might be running as (including the account named Administrator).

From PowerShell (assuming the prompt is not elevated):
Start-Process powershell_ise.exe -Verb runas

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
OK, so how do I execute the script on that one liner script ?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
You can't. You need to accept the elevation prompt if that's what you've configured UAC to do.

This applies even if you set-up a short-cut with the command in and tick the run as administrator box (that is, there will still be a prompt).

Alternatively set it up as a scheduled task to execute with highest privileges. Except now you have to set-up the task which requires the same admin token. Good stuff, huh?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
OK, somehow I've managed to found this script, which sift through the Event logs for the Terminal Server:

Get-WinEvent -ComputerName PRODTS03-VM -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | ft -AutoSize

Open in new window


So I wonder if it is can be configured / modified to filter the Security event ID 4624 only for the user DOMAIN\Administrator like below example events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          08/09/2016 12:45:25 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      PRODDC01-VM.domain.com
Description:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		MyDomain\Office.Manager
	Account Name:		Office.Manager
	Account Domain:		MyDomain
	Logon ID:		0xf99126a2
	Logon GUID:		{a5bf47f4-d53a-6ff9-2139-a4ceb9e5b284}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	10.188.5.34
	Source Port:		60358

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


I need to know the:
        Keywords: Audit Success
        Logon Type: 3
        Date: 08/09/2016 12:45:25 PM
        Security ID: Domain\Administrator
      Source Network Address: 10.188.5.199

Isthat possible to customizethe script ?
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
Comment Utility
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now