“Poor man” monitoring of creation/enablement and addition and removal to/from security group of an account in Active Directory (part 1)

If you want to implement “poor man” monitoring of important events that can happen in your Active Directory like – creation of an user or in case if someone enables or disables an user account or if user is added to a security group (for example in domain admins) you can do it by using out-of-the box solutions that Windows Server provides.

Without touching any additional auditing (by using Group policy or Local policy) you can simply attach a task to events:

Event ID: 4720 – A user account was created.
Event ID: 4722 – A user account was enabled.
Event ID: 4725 – A user account was disabled.
Event ID: 4728 – A member was added to a security-enabled global group.

I find these events very important because if they are not triggered by an intentional creation / modification of an user in Active Directory it might mean that someone is making some unwanted and potentially dangerous changes (and we all know how devastating for our infrastructure can be if privileges escalate to Domain admins level).

So let’s use out-of-the box solutions to get information if such event happens.
We will use:
Event Viewer and the option to trigger an action of out the event id by using Task Scheduler and some Powershell scripting to get alert e-mailed to administrator.

On DC I have created a folder on c:\ps in which I have placed PS1 script called: NewUser.PS1
In the script I have some lines that parse newly created Event with ID 4720.

$EventMessage = get-winevent -FilterHashtable @{Logname=’Security’;ID=4720} -MaxEvents 1 | fl TimeCreated, Message
$eventmessagetstring = $EventMessage | Out-String
$EventMessageAccountNameTextAdmin = $EventMessagetstring | Select-String -Pattern “Subject:\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EventMessageAccountNameTextNewUser = $EventMessagetstring | Select-String -Pattern “New Account:\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EmailTo = “me@domain.com”
$EmailFrom = “alert@domain.com”
$Subject = “New user in Active Directory!”
$Body = “New user created by: `n $EventMessageAccountNameTextAdmin `n `n `n New user username: `n $EventMessageAccountNameTextNewUser”
$SMTPServer = “YourSMTPServer”
$SMTPMessage = New-Object System.Net.Mail.MailMessage($EmailFrom,$EmailTo,$Subject,$Body)
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)
$SMTPClient.Send($SMTPMessage)

This script is saved.

After that we run Task Scheduler and create new Basic task where Trigger is When a specific event is logged on next screen we chose as Log: Security then Source: Microsoft Windows security auditing. and we insert Event ID: 4720.

After that we need to chose Action
: Start a program as Program/script: Powershell and in Add arguments (optional): -ExecutionPolicy ByPass -File c:\ps\NewUser.ps1

on Finish screen we can check checkbox Open the Properties dialog …

On
General tab of task properties we can chose radio button: Run whether user is logged on or not and then checkbox Do not store password. The task will only have access to local computer resources.

If you try to create new user in AD in couple of seconds you should receive e-mail with alert where you get the user that created new user in AD and the actual username of the newly created user.

new user

In the video you can check the tasks described above.

 

2 thoughts on ““Poor man” monitoring of creation/enablement and addition and removal to/from security group of an account in Active Directory (part 1)

  1. Pingback: “Poor man” monitoring of creation/enablement and addition and removal to/from security group of an account in Active Directory (part 2) | Luka Manojlovic

  2. Pingback: Event Viewer / Event Forwarding / Source initiated forwarding? Let’s remove the dust … | Luka Manojlovic

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.