Next step is to monitor addition and/or removal of user to/from security group – in this example I will show that alert is triggered when user is added to domain admins security group.
The script is a bit modified so it covers the user that added another user to a security group, a user that was added to a security group and which group user was added to.
$Body = “User was added to group by: `n $EventMessageAccountNameTextAdmin `n `n `n User that was added to securty group: `n $EventMessageAccountNameTextUser `n `n `n Security group user was added to: `n $EventMessageAccountNameTextGroup”
If you want to implement “poor man” monitoring of important events that can happen in your Active Directory like – creation of an user or in case if someone enables or disables an user account or if user is added to a security group (for example in domain admins) you can do it by using out-of-the box solutions that Windows Server provides.
Without touching any additional auditing (by using Group policy or Local policy) you can simply attach a task to events:
Event ID: 4720 – A user account was created. Event ID: 4722 – A user account was enabled. Event ID: 4725 – A user account was disabled. Event ID: 4728 – A member was added to a security-enabled global group.
I find these events very important because if they are not triggered by an intentional creation / modification of an user in Active Directory it might mean that someone is making some unwanted and potentially dangerous changes (and we all know how devastating for our infrastructure can be if privileges escalate to Domain admins level).
So let’s use out-of-the box solutions to get information if such event happens.
We will use: Event Viewer and the option to trigger an action of out the event id by using Task Scheduler and some Powershell scripting to get alert e-mailed to administrator.
On DC I have created a folder on c:\ps in which I have placed PS1 script called: NewUser.PS1
In the script I have some lines that parse newly created Event with ID 4720.
After that we run Task Scheduler and create new Basic task where Trigger is When a specific event is logged on next screen we chose as Log: Security then Source: Microsoft Windows security auditing. and we insert Event ID: 4720.
After that we need to chose Action: Start a programas Program/script: Powershell and in Add arguments (optional): -ExecutionPolicy ByPass -File c:\ps\NewUser.ps1
on Finish screen we can check checkbox Open the Properties dialog …
OnGeneraltab of task properties we can chose radio button:Run whether user is logged on or not and then checkboxDo not store password. The task will only have access to local computer resources.
If you try to create new user in AD in couple of seconds you should receive e-mail with alert where you get the user that created new user in AD and the actual username of the newly created user.
In the video you can check the tasks described above.
Today I wanted to update all serial numbers (to make sure that are written in YYYYMMDD00 way) on my primary DNS zones on my Windows server 2019 DNS server.
This is the script to do this massive change – by using this script anyone can modify any parameters in DNS.
Just for fun I tried to establish a mechanism that will allow me to get information for failed logon attempt on Outlook Web Access (OWA).
If you open event viewer on your CAS server (where OWA is located) you can find out that failed requests are logged with Event ID 4625.
In general information you can find interesting things like – username which was used and IPv4 or IPv6 address from where the attempt was made.
All you need to do is to Attach task to this event
As all other actions are deprecated you should use the option to Start a program – here we will run a Powershell script to do the job.
We need to create a PS1 (powershell script) with content:
I would like to help you setting up LAPS in your environment – just follow this simple guide how to do it and say “bye bye” to not-secure fixed local administrators passwords.
Download LAPS.x64.msi on your Active Directory domain controller and install it – add also Management Tools that are not selected by default:
After installing it open Powershell on your DC, import Powershell module for LAPS, update AD Schema for LAPS (you need to be schema admin!), define OU where computers / servers that will be under LAPS management are, define user or group that will have privilege to read and reset password for client or server:
Create group policy object on clients / servers OU (in my case with name LAPS) in which you will configure settings and deploy client on machines (yes, the MSI package that was installed on DC needs to be installed on workstations and servers too – the simplest way to do it is by using software deployment in group policy.
Reboot your clients or use gpupdate /force to apply group policy settings and installation of the package.
If everything was installed and applied correctly you should see the installed package in programs on client workstation or server:
On your AD server you can now check password by using Powershell or by using LAPS GUI:
Get-AdmPwdPassword -ComputerName w10 -Verbose
LAPS is great, simple and adds some more security in your environment.
As I noted in my previous article Let’s Encrypt started to issue wildcard certificates – and now for me it is a right time to automate the whole process of renewal and binding – and I am using Let’s Encrypt certificates also for my RD Gateway servers (some of them stand-alone without other TS/RD roles).
So how to get from PFX certificate “package” (before retrived from Let’s Encrypt) to a fully functional RDGateway?
Be careful with providing password for certificate import – Inserting passwords into scripts is not a good idea! – here I have inserted it in souch way just for an example:
Then we need to import certificate in LocalMachine certificate store and save its Thumbprint into a variable $Thumbprint that we will use later to bind it to TS/RDGateway
