My work with products Microsoft Exchange, Lync, TMG, Powershell: July 2018

I want to share a way to audit events in Active Directory with domain controllers on Windows 2012 and younger.
For servers with OS Windows 2012 and younger, a new method of collecting events "ForwardedEvents" appeared. First, configure the collection of events on the dedicated server:
1. Create the policy "AuditFrw" and apply to the OU "Domain Controllers"
Computer Configuration - Administrative Templates - Windows Components - Event Forwarding - Server=http://scr-server.blogspot.com:5985/wsman/SubscriptionManager/WEC,Refresh=120

Computer Configuration - Administrative Templates - Windows Components - Windows Remote Management (WinRM) - WinRMService - Allow remote server managment through WinRM - 1.1.1.0-1.1.1.50

Computer Configuration - Preferences - Control Panel Settings - Services - Service:WinRM - Start/Automatic(Delayed Start)

2. On the audit server scr-server.blogspot.com we create a subscription
Event Viewer - Subscriptions - Create Subscription
- Name:Base-Audit-AD
- Type: Source computer initiated
- Computers: "Domain Controllers"
- Events: 4728,4732,4756,4729,4733,4757,4720,4726,4727,4731,4754,4730,4734,4758,4741,4725,4740

3. Create a task on a schedule, for example: 7 am, every day, repeat every 12:00
and specify the script

Download Script

$hf = "D:\Scripts\Audit"

cd $hf

$s_date = (Get-date).AddDays(-0.5)

function ResolveSID ($sid) {

$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)

$objUser = $objSID.Translate([System.Security.Principal.NTAccount])

Return $objUser.Value

}

#add to gr

$evs_add_to_gr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4728,4732,4756} -ea 0

if ($evs_add_to_gr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\AddUserToGorup\AddUserToGorup_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,Group,NewMember,AddedBy"

$evs_add_to_gr = $evs_add_to_gr | sort TimeCreated | select TimeCreated,

@{n="Group";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="NewMember";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "MemberSid"} | %{$_.’#text’}}},

@{n="AddedBy";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_add_to_gr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.Group)

$e_nm = ResolveSID($e.NewMember)

$e_ab = ResolveSID($e.AddedBy)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_nm,$e_ab"

}

#del from gr

$evs_del_from_gr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4729,4733,4757} -ea 0

if($evs_del_from_gr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\DelUserFromGroup\DelUserFromGroup_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,Group,DelMember,DelBy"

$evs_del_from_gr = $evs_del_from_gr | sort TimeCreated | select TimeCreated,

@{n="Group";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="DelMember";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "MemberSid"} | %{$_.’#text’}}},

@{n="DelBy";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_del_from_gr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.Group)

$e_nm = ResolveSID($e.DelMember)

$e_ab = ResolveSID($e.DelBy)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_nm,$e_ab"

}

#new gr

$evs_new_gr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4727,4731,4754} -ea 0

if ($evs_new_gr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\CreateGroup\CreateGroup_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,GroupName,AdminLogin"

$evs_new_gr = $evs_new_gr | sort TimeCreated | select TimeCreated,

@{n="Group";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="GroupName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_new_gr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.Group)

if (!$e_gr) {$e_gr = $e.GroupName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

#del gr

$evs_del_gr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4730,4734,4758} -ea 0

if ($evs_del_gr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\DelGroup\DelGroup_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,GroupName,AdminLogin"

$evs_del_gr = $evs_del_gr | sort TimeCreated | select TimeCreated,

@{n="Group";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="GroupName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_del_gr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.Group)

if (!$e_gr) {$e_gr = $e.GroupName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

#new usr

$evs_new_usr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4720} -ea 0

if ($evs_new_usr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\CreateUser\CreateUser_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,UserName,AdminLogin"

$evs_new_usr = $evs_new_usr | sort TimeCreated | select TimeCreated,

@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="UserName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_new_usr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.User)

if (!$e_gr) {$e_gr = $e.UserName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

#del usr

$evs_del_usr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4726} -ea 0

if ($evs_del_usr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\DelUser\DelUser_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,UserName,AdminLogin"

$evs_del_usr = $evs_del_usr | sort TimeCreated | select TimeCreated,

@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="UserName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_del_usr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.User)

if (!$e_gr) {$e_gr = $e.UserName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

#dis usr

$evs_dis_usr = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4725} -ea 0

if ($evs_dis_usr.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\DisableUser\DisableUser_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,UserName,AdminLogin"

$evs_dis_usr = $evs_dis_usr | sort TimeCreated | select TimeCreated,

@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="UserName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_dis_usr) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.User)

if (!$e_gr) {$e_gr = $e.UserName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

#new pc

$evs_new_pc = Get-WinEvent -FilterHashTable @{LogName='ForwardedEvents'; StartTime=$s_date; ID=4741} -ea 0

if ($evs_new_pc.count -gt 0) {

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

$LogFile = ".\Logs\CreatePC\CreatePC_" + $LogTime + ".csv"

add-content -path $LogFile -value "TimeCreated,PCName,AdminLogin"

$evs_new_pc = $evs_new_pc | sort TimeCreated | select TimeCreated,

@{n="User";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetSid"} | %{$_.’#text’}}},

@{n="UserName";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TargetUserName"} | %{$_.’#text’}}},

@{n="AdminLogin";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserSid"} | %{$_.’#text’}}}

foreach ($e in $evs_new_pc) {

$e_gr = $e_nm = $e_ab = @()

$e_gr = ResolveSID($e.User)

if (!$e_gr) {$e_gr = $e.UserName}

$e_ab = ResolveSID($e.AdminLogin)

add-content -path $LogFile -value "$($e.TimeCreated),$e_gr,$e_ab"

}

My work with products Microsoft Exchange, Lync, TMG, Powershell

Wednesday, July 25, 2018

Audit basic events in Active Directory with Windows 2012.