Kaseya Community

Detect new domain admin accounts

  • Domain Admins Check step 1.txt
    I put together a script yesterday that will check for any new domain admin accounts added since the script was last run, and then send an e-mail alert if any are found. I didn't find anything like this on the forum yet so I figured I would share, I hope I didn't reinvent the wheel or anything. I know you can track this using the Security event log, but I didn't want to enable logging of all successful events for my DCs in Kaseya.

    Import the step 1 and step 2 scripts from the attached txt files, and then in step 2 change the e-mail address to whatever you want. Rename the admincheck.txt file to admincheck.vbs and put it in the root of your managed files folder.

    The way I have the script setup is that it first checks to see if a "base file" with a list of domain admins on the server exists. If it doesn't, it just creates the file c:\admins_old.txt and finishes. If that file already exists then it dumps a current list of domain admins into the file c:\admins_new.txt, and then uses the vbs script to compare the two files. If there are any new accounts added it lists them in c:\admins_diff.txt, deletes the existing admins_old file and renames admins_new to admins_old.

    The second script is then called which checks the admins_diff.txt file to see if it contains the string CN=, and if it does, it gets the contents of the file, and sends it to the e-mail address specified. If it doesn't detect anything, it writes a script log entry stating that no new accounts were found.

    This script will only detect new accounts, it won't see accounts that are deleted. I assume you could swap the file names in the vbs script and then it might, if you were concerned about that. You can also edit the first script to change the group name to anything else you might want to track.

    Legacy Forum Name: Detect new domain admin accounts,
    Legacy Posted By Username: kcears
  • Domain Admins Check step 2.txt
    Attachment refers to previous post.

    Legacy Forum Name: Detect new domain admin accounts,
    Legacy Posted By Username: kcears
  • admincheck.txt
    Attachment refers to previous post.

    Legacy Forum Name: Detect new domain admin accounts,
    Legacy Posted By Username: kcears
  • You can look for specific events without having an alert on every information event.

    For Example: I do this with the event that show's the event log service started so I know when a server was rebooted.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jasonb
  • jasonb
    You can look for specific events without having an alert on every information event.

    For Example: I do this with the event that show's the event log service started so I know when a server was rebooted.


    I know you don't have to receive an alert on every informational event, but you do have to capture it, which is just going to add unneccessary size to the database.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kcears
  • I ran this on a 2k8 DC - it would find the new domain admin accounts, however not recognize them as being new accounts.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: mwhite
  • Anyone have an updated script for K2?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: thirteentwenty
  • Procedure_Domain_Admin_Check_step_1.xml
    Here are the scripts after I converted our server to K2. It should be possible to put them into a single script now since we can do nested IFs, but I don't have time to bother with it.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kcears
  • Procedure_Domain_Admin_Check_step_2.xml
    Attachment refers to previous post.

    Legacy Forum Name: ,
    Legacy Posted By Username: kcears
  • kcears
    Here are the scripts after I converted our server to K2. It should be possible to put them into a single script now since we can do nested IFs, but I don't have time to bother with it.


    Thanks a million, I'll give it a go...

    Might be worth noting that the script isn't turn key. Anyone getting this script should grab the .vbs file attached to the original post, and in step 2 the email address should be changed.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: thirteentwenty
  • I don't see the need for a VBS script since you can do a comparison of two files and raise an alarm if they differ by using the Get File command...


    Script Name: Domain Admins
    Script Description: Gets the domain admins from a domain controller and raises an alarm if this changes.

    IF Test File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : dsquery group -name "Domain Admins" | dsget group -members >> #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : domain-admins.txt
    Parameter 3 : 0
    OS Type : 0
    ELSE
    Execute Shell Command
    Parameter 1 : dsquery group -name "Domain Admins" | dsget group -members >> #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : domain-admins.txt
    Parameter 3 : 1
    OS Type : 0


    Andrew

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: andrew.doull@computer-care.com.au
  • [QUOTE=andrew.doull@computer-care.com.au;57875]I don't see the need for a VBS script since you can do a comparison of two files and raise an alarm if they differ by using the Get File command...


    Script Name: Domain Admins
    Script Description: Gets the domain admins from a domain controller and raises an alarm if this changes.

    IF Test File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : dsquery group -name "Domain Admins" | dsget group -members >> #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : domain-admins.txt
    Parameter 3 : 0
    OS Type : 0
    ELSE
    Execute Shell Command
    Parameter 1 : dsquery group -name "Domain Admins" | dsget group -members >> #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\domain-admins.txt
    Parameter 2 : domain-admins.txt
    Parameter 3 : 1
    OS Type : 0


    Andrew[/QUOTE]

    I used the VBS because it tells my techs exactly which account is new in the e-mail it sends to our NOC, not just that something changed.

    Thanks for making that point about the VBS and e-mail address thirteentwenty.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kcears