Active Directory Audit of a User and all Services/Software attached

Question

I have a user I need to audit. This single user is used by a bunch of services/software among other things to run. My job is to figure out everything that is tied to this user and then create new usernames in Active Directory so we can disable that one user.

I have a handful of servers I need to do this check on for that specific user. I am not really sure where or how to start doing this - most of my searches have not been very helpful.

1.) Need to audit all my servers for the usage of a user.

2.) Need to know every service/software/backup/thing that uses the account to run.

I am new to this but it looks like I am going to have to figure out how to do this by using PowerShell - I have not seen any audit type tools on the servers.

Thank you for any help you can provide.

Kind regards.

I have not quite figured this out, but I am on a good path to do so. A couple of tools I found that have been helpful: http://www.cjwdev.com/Software/ServiceCredMan/Info.html I got the free version of cjwdev - service credential manager tool. This link also really helped: https://gallery.technet.microsoft.com/scriptcenter/How-to-Clear-Printing-21d59516 It is a PowerShell script that allows you to search for all services run by a user in your AD. — Chuck Coggins III, Feb 21 '19 at 12:53

LeeM · Accepted Answer · 2019-02-20T06:12:39.343

Event 4624 on the DCs captures where the account is being logged on, and what logon type it is (interactive, network, etc) which should at least help narrow down where scheduled tasks or logons are firing off. Then you need to do your analysis per computer.

If you don't have a SIEM tool like Splunk or a security analysis tool like Netwrix Defender that can capture logs off all DCs (and even better, all computers), one thing you can do is use the Event Log Collector service to set up subscriptions to forward specific log events from all the DCs to a collector server.

There are third party Windows sysloggers that can do a similar thing.

To target a specific account logon event, you can use this XPath filter:

 <QueryList>
   <Query Id="0" Path="Security">
     <Select Path="Security">
      *[System[(EventID='4624')]
      and
      EventData[Data[@Name='TargetUserName']='My_BadAcct']] 
     </Select>
   </Query>
 </QueryList>

Another, cruder, method might be to do an Event Viewer Task in Task Scheduler on each DC, using the event filter above as a trigger to fire off a Powershell script to do something like log the event details into a text file. There's a brief example here (last item) on how to capture event details and pass them through as variables to the script.

On a procedural note, if you think you've found nearly all of all the places where the account is used, but are having real issues identifying the last one, the easiest thing to do is simply disable the account. The calls to IT support will quickly resolve who needs it. (Known as the "scream test".)

In the event you're still getting "mystery" logon attempts to the disabled account and no-one gets in touch quickly, it's best to leave it disabled for at least a year, in case it's the account that runs the end-of-year financial reports. Or half a year, if you using the standard retention time in your AD Recycle Bin.

Thank you for your reply. I have been unable to figure out how to do this so that is why it has taken me so long to respond. I have been able to figure out what services are currently being used by the Admin account, but I cannot figure out how to create a script that will check to see what software on our servers is being used/ran as the admin. The big problem is I am new to all of this and this was my first real big task. — Chuck Coggins III, Feb 20 '19 at 21:11
It's difficult enough for those of us who've been in the game for 20 years, if you don't have the kind of enterprise tools to help you do it. At least, once you've identified where the logons are coming from, you can then check the applicable servers for services running as the account or scheduled tasks. You can also do Get-Process to identify what processes are running as the user. Start with the low-hanging fruit like Services and Scheduled Tasks, then if you're still getting logon events from the box, you can delve further. — LeeM, Feb 20 '19 at 22:55
Also, if you've only got a few DCs, there's nothing wrong with inspecting the DC security logs manually for the logon events. Just make sure the logs are large enough (or you're archiving them) so that they don't wrap before you have a chance to check them. You can use that filter I provided as a log "view". — LeeM, Feb 20 '19 at 22:58
Thank you for all your help! I will keep picking away at it manually - luckily the system is not super huge. It is going to take some time, but I am figuring it out little by little. I really do appreciate the words of wisdom! — Chuck Coggins III, Feb 21 '19 at 12:48

score 2 · Answer 2 · answered Feb 20 '19 at 06:08

2

You can audit user logons in AD with powershell And then you could script a for loop to loop through a list of servers and export out all of the scheduled tasks like they show here. While you are at it, I would recommend documenting everything, not just that particular user so in the event that you leave it will be easier for the next administrator as well.

answered Feb 20 '19 at 06:08

Brad

250
1
11

Thank you for your reply! I have been able to get a list of all the services run as the user admin, I have also been able to get a list of all the servers admin logs into. I am still unable to figure out how to get a list of all the software that run as the admin user. – Chuck Coggins III Feb 20 '19 at 21:15

Active Directory Audit of a User and all Services/Software attached

2 Answers2