HelpDesk under the hood. Audit create user accounts in AD
All welcome.
Still at the beginning of his knowledge of the profession of system administrator, my boss told me about this profession (or rather its direction) as a designer AD. These people bring order to the domain and put in order the account. Who are faced with this and fiddling can understand the irritation that cause ugly account names created by any employee who sneezed on your order.
Picking up PowerShell we gave them a fight!
The bottom line is that HelpDesk was specifically created OU in AD (let's call it NewUsers) where they could create new accounts (delegation user rights will not discuss here).
Their task is to create a new account in that OU.
My task is to monitor the correctness of filling the required fields (especially login) and moved around the departments.
It turned out that people didn't want to absolutely think about that and just wandered up to me with requests to create this record. A few weeks I was dismissed with the words: you still can!
Finally I got through to them, but this was only the beginning of the story.
In the end, I got a bunch of accounts, it is not clear whose, and most importantly — it is unclear who created. To the question: "who created?", all workers protested in unison. Naturally, I was eager to understand these uchetki, enough was enough.
As responsible for the domain to answer to the chief for Tania and Gosha had me.
Came across a wonderful word — audit.
Outputs from this situation were several. On one side was all long and hardcasting pearls to explain what fields and how to fill. On the other, to monitor the creation of accounts and identifying violators of the system to poke their nose in ugly names.
The first method gave no results, so I with a heavy heart moved to the second.
First I had to set the audit policy for certain units (in our case folder is Created) and add to the audit group, which will view (not to think about the groups and add all users).
Here here you can read about audit Active Directory domain services, but here waiting for You step-by-step instructions on how to configure auditing.
As a result, in the security log of the domain controller will receive events create new user objects.
We are interested in the event ID 5137 (Create object directory).
Go to the collection of information from the controllers. Of course, if you have 1 CD, you just need to configure the log filter and forget about the rest of the article, but then You have to turn in uncle Vanya, the caretaker of a corn field that is always on duty. In other words — you have free time? Look in the security log.
If you want to be yourself and you have more than 1 CD, you should read on.
In PowerShell to view the log on helps cmndlet Get-eventlog. With the help of it we will have to choose the needed message. In order to circumvent the problems with signing scripts, we did put we need the code in the profile file, and defined it as a function.
For those of you not familiar with profiles, you can read this or who do not want to leave Habr, this.
Also, to download the profile will need to run the command:
Let us return to our sheep. Actually, the code our function:
the
For myself, I choose only the recording time of the event, the message and the name of the CD on which this occurred. If someone this information is not sufficient, you can expand the list. Write:
get the complete list of all properties.
The output to a text file located on my work computer.
Also I'm interested in the account only in a specific OU, so we select the message that contains the path to the directory (OU=NewUsers,DC=contoso,DC=com).
If wondering why I choose only 1 last entry, read on.
We need to call this function every time in the journal will receive the needed events. For this we use the standard task scheduler. How to create a job, I will not tell, will stop at important points:
Action: run the program
The program / script: powershell
Add arguments: -windowstyle Hidden audit
Trigger:
Assign the task: At event
Log: Security
Event ID: 5137
Just don't forget to tick the box:
"To fulfill without dependence from user registration" — in order that the task be performed without requiring our presence.
The "run with highest privileges" — so we had access to the Security log.
When the job is created, you can export it to an xml file and thus spread it to the rest of the CD.
In the end we got a personal "Snitch" on each CD, which will react to certain events in the security log.
Now you can catch the hand of those who do not comply with the principles of Feng Shui and prevents the free flow of energy we have in the domain.
Article based on information from habrahabr.ru
Still at the beginning of his knowledge of the profession of system administrator, my boss told me about this profession (or rather its direction) as a designer AD. These people bring order to the domain and put in order the account. Who are faced with this and fiddling can understand the irritation that cause ugly account names created by any employee who sneezed on your order.
Picking up PowerShell we gave them a fight!
do Not litter!
The bottom line is that HelpDesk was specifically created OU in AD (let's call it NewUsers) where they could create new accounts (delegation user rights will not discuss here).
Their task is to create a new account in that OU.
My task is to monitor the correctness of filling the required fields (especially login) and moved around the departments.
It turned out that people didn't want to absolutely think about that and just wandered up to me with requests to create this record. A few weeks I was dismissed with the words: you still can!
Finally I got through to them, but this was only the beginning of the story.
In the end, I got a bunch of accounts, it is not clear whose, and most importantly — it is unclear who created. To the question: "who created?", all workers protested in unison. Naturally, I was eager to understand these uchetki, enough was enough.
As responsible for the domain to answer to the chief for Tania and Gosha had me.
Came across a wonderful word — audit.
solutions
Outputs from this situation were several. On one side was all long and hard
The first method gave no results, so I with a heavy heart moved to the second.
First I had to set the audit policy for certain units (in our case folder is Created) and add to the audit group, which will view (not to think about the groups and add all users).
Here here you can read about audit Active Directory domain services, but here waiting for You step-by-step instructions on how to configure auditing.
As a result, in the security log of the domain controller will receive events create new user objects.
We are interested in the event ID 5137 (Create object directory).
Go to the collection of information from the controllers. Of course, if you have 1 CD, you just need to configure the log filter and forget about the rest of the article, but then You have to turn in uncle Vanya, the caretaker of a corn field that is always on duty. In other words — you have free time? Look in the security log.
If you want to be yourself and you have more than 1 CD, you should read on.
what is PowerShell?
In PowerShell to view the log on helps cmndlet Get-eventlog. With the help of it we will have to choose the needed message. In order to circumvent the problems with signing scripts, we did put we need the code in the profile file, and defined it as a function.
For those of you not familiar with profiles, you can read this or who do not want to leave Habr, this.
Also, to download the profile will need to run the command:
Set-ExecutionPolicy RemoteSignedLet us return to our sheep. Actually, the code our function:
the
Audit function
{
Get-eventlog security -InstanceID "5137" -Newest 1 |
Where-Object {$_.Message-match "OU=NewUsers,DC=contoso,DC=com"} |
Select-object TimeWritten,Message,MachineName | Format-list | out-file \\Mypcname\d$\Audit.txt -append
}
For myself, I choose only the recording time of the event, the message and the name of the CD on which this occurred. If someone this information is not sufficient, you can expand the list. Write:
get the complete list of all properties.
The output to a text file located on my work computer.
Also I'm interested in the account only in a specific OU, so we select the message that contains the path to the directory (OU=NewUsers,DC=contoso,DC=com).
If wondering why I choose only 1 last entry, read on.
We need to call this function every time in the journal will receive the needed events. For this we use the standard task scheduler. How to create a job, I will not tell, will stop at important points:
Action: run the program
The program / script: powershell
Add arguments: -windowstyle Hidden audit
Trigger:
Assign the task: At event
Log: Security
Event ID: 5137
Just don't forget to tick the box:
"To fulfill without dependence from user registration" — in order that the task be performed without requiring our presence.
The "run with highest privileges" — so we had access to the Security log.
When the job is created, you can export it to an xml file and thus spread it to the rest of the CD.
Informers don't love
In the end we got a personal "Snitch" on each CD, which will react to certain events in the security log.
Now you can catch the hand of those who do not comply with the principles of Feng Shui and prevents the free flow of energy we have in the domain.
Комментарии
Отправить комментарий