question

matteu31400 avatar image
0 Votes"
matteu31400 asked FanFan-MSFT commented

audit account connection

Hello,

I need to find all the workstation / server where the domaine administrator builtin account is used (scheduled task, service account, ...).
What is the best method to do it ?

I just know security event viewer with 4624 ID and I can modify the size to archive it and collect data from 1 or 2 week and with powershell find all the computer where this account is used.

Is there any other possibility to find it ?

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Unfortunately this could be work if the account is actually connected on some computer.
When it's a scheduled task for 2 min and this utility is not launched, I will not be able to identify it.

I need to modify the password of the admin domain account but I'm sure this account is used in several computer...
Event in security are not so easy to use. I'm not sure what event to use : 4624,4768,4769... All seems to have some information about connection.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

The powershell query is used only to know if the accoutn is used on service account and not other possibilities.
Only centralized information about connection is the eventviewer.
I need to do some test with mapped drive / scheduled task / service account to see wich of the event ID is the best one to use.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered FanFan-MSFT commented

For now, I do this :

 # event 4769
 $query = @"
 <QueryList>
   <Query Id="0" Path="Security">
     <Select Path="Security">*[System[(EventID=4769)]]</Select>
   </Query>
 </QueryList>
 "@
    
 $param= @(
     @{label="Date";expression={$_.TimeCreated}},
     @{label="Domain";expression={$_.properties.value[1]}}
     @{label="ServerName";expression={$_.properties.value[2]}},
     @{label="IP";expression={$_.properties.value[6]}},
     @{label="User";expression={$_.properties.value[0]}}
 )
    
 Get-WinEvent -FilterXml $query |  where {$_.properties.value[0] -eq "testadmin"} |select $param | 
 Export-Csv c:\test.csv -NoTypeInformation -Delimiter ";" -Encoding UTF8

and

 # event 4678
 $query = @"
 <QueryList>
   <Query Id="0" Path="Security">
     <Select Path="Security">*[System[(EventID=4768)]]</Select>
   </Query>
 </QueryList>
 "@
    
 $param= @(
     @{label="Date";expression={$_.TimeCreated}},
     @{label="Domain";expression={$_.properties.value[1]}}
     @{label="Server IP";expression={$_.properties.value[9]}},
     @{label="User";expression={$_.properties.value[0]}}
 )
    
 Get-WinEvent -FilterXml $query | where {$_.properties.value[0] -eq "testadmin"} |  select $param | Export-Csv c:\test.csv -NoTypeInformation -Delimiter ";" -Encoding UTF8



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Except the event , following script for your reference:
https://stackoverflow.com/questions/35255044/how-to-find-all-computers-a-user-is-logged-into

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

0 Votes 0 ·