A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that.
While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema!
Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry.
Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for.
In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works!
To get you started, I've included the source code written in the screencast that goes with this posting. This code will determine your current domain and then extract all objects that are of class "User" (which includes computers, by the way) and give you CSV format output of the fully distinguished name, the SAM account name and the date of the last logon. To use this code, just create a new Powershell script file as described in the screencast and have at it!
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.PageSize = 100
$ADSearch.SearchScope = "subtree"
$ADSearch.SearchRoot = "LDAP://$Domain"$ADSearch.Filter = "(objectClass=user)"$ADSearch.PropertiesToLoad.Add("distinguishedName")
$ADSearch.PropertiesToLoad.Add("lastLogonTimeStamp")$userObjects = $ADSearch.FindAll()
foreach ($user in $userObjects)
$dn = $user.Properties.Item("distinguishedName")
$sam = $user.Properties.Item("sAMAccountName")
$logon = $user.Properties.Item("lastLogonTimeStamp")
if($logon.Count -eq 0)
$lastLogon = "Never"
$lastLogon = [DateTime]$logon
$lastLogon = $lastLogon.AddYears(1600)
David Hoelzer teaches several full week courses ranging from basic security through to advanced exploitation and penetration testing. For a thorough treatment of this specific issue and a discussion of controls to mitigate this and similar issues, consider attending thefull week course on Advanced System & Network Auditing. More information can be found here:AUD 507 course. AUD 507 gives both auditors and security professionals powerful tools to automate and manage security over time.