Gestion des comptes » Pages pratiques sur Active Directory

Comment vérifier l'historique des connexions de tous les utilisateurs dans Active Directory ?

Utilisez le script suivant pour lister les informations de connexion des utilisateurs AD, y compris les ordinateurs à partir desquels ils se sont connectés en inspectant les événements de demande TGT Kerberos (ID d’événement 4768) des contrôleurs de domaine. Vous pouvez également lister les utilisateurs qui se sont déjà connectés précédemment.

Définissez les paramètres suivants en fonction de vos besoins :

Événement max (MaxEvent) : Indiquez le nombre de tous les événements à rechercher pour TGT

Requêtes:La valeur par défaut est 1000.

Dernière connexion uniquement (LastLogonOnly):Afficher uniquement la liste des dernières connexions des utilisateurs.

Uniquement UO (OuOnly) :Ne pas afficher le chemin complet des utilisateurs/ordinateurs. Seule l’UO est affichée.

param( [switch]$LastLogonOnly,[switch]$OuOnly,[int]$MaxEvent=1000) requesting Kerberos TGT, skipping Exchange Health Mailbox request and extracting Users/Client names,IP Addresses #### $Domain = (Get-WmiObject Win32_Computersystem).domain $read_log={ Param ($MaxEvent,$OuOnly,$Domain)
## Define parameter to pass maxevent to scripblock
$EventInfo=Get-WinEvent -FilterHashTable
@{LogName="Security";ID=4768} -MaxEvents 200000 | select -first
$MaxEvent | where {$_.Message -notmatch "SM_" } | where { $_.Message -notmatch "\$" } |
select @{N="Authenticated DC";Exp={$_.MachineName}},
@{N="LoggedOn Time";Exp={$_.TimeCreated}},
@{N="User"; Exp={ $SplitAccountName=(($_.Message -Split "\n") -match
"Account Name") -split
':';$SplitAccountName[$SplitAccountName.Length-1].Trim() }},
@{N="User Location";Exp={}}, @{N="Workstation";Exp={}},
@{N="IP Address"; Exp={if((($_.Message -split "\n") -match "Client
Address:").Trim() -match "::1" ) {"localhost"}
else { $SplitClientAddress=(($_.Message -Split "\n") -match "Client
Address") -split ':'; $splitClientAddress[$splitClientAddress.Length-1].Trim() }}},
@{N="Computer Location";Exp={}}

$EventInfo | foreach {
$IPAddress=$_."Client Address"

if ($_."IP Address" -eq "localhost") {
$Client_Name=[system.net.dns]::GetHostbyName($env:computername).hostname }
else
{###### Resolve the PTR record to find AD computer information ################
#$Client_Name=(Resolve-DnsName $_."IP Address").NameHost
if ((Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly -ErrorAction "SilentlyContinue").Type -eq "PTR")
{
$Client_Name = (Resolve-dnsname $_."IP Address" -Type PTR -TcpOnly -DnsOnly).NameHost
}
else
{ $Client_Name = "NOT FOUND" }
} ## $_."Authenticated DC"=($_."Authenticated DC" -split "."+$Domain)[0]
##Uncomment this line if you want to strip off domain name in
"Authenticated DC" list
$user=$_.user
############# Find the User account in AD and if not found, throw an exception ###########
$Full_User_Property=0
Try ##
Need Try statement to test and supress error
{
$Full_User_Property = (Get-AdUser $_.user -Properties *)
$_."User Location" =
$Full_User_Property.CanonicalName.TrimStart($Domain).SubString(1)
} catch {}
## The $_."User Location" is not passed to catch statement and therefore needs another statement (mentioned below) to set value
If (!$Full_User_Property)
{ $_."User Location"="NOT FOUND" }
$Full_User_Property=0

If($OuOnly -AND ($_."User Location" -ne "NOT FOUND"))
{
$_."User Location"= $_."User Location".Remove($_."User Location".LastIndexOf("/"))
##Trim the last user nameif -OuOnly flag is set
}$_."Workstation"=($Client_Name -split "."+$Domain)[0] ## remove the domain suffix
########## Find the Computer account in AD and if not found, throw an exception ###########
$Full_Workstation_Property = 0
{
$Full_Workstation_Property = Get-AdComputer $_."Workstation" -Properties *
$_."Computer Location"=
$Full_Workstation_Property.CanonicalName.TrimStart($Domain).SubString(1)
}
catch
{}
########## Here the catch exception does not work in Invoke session. So we need to manually set the "NOT FOUND" value ######
If (!$Full_Workstation_Property)
{ $_."Computer Location" = "NOT FOUND"}
$Full_Workstation_Property=0

If ($OuOnly -AND ($_."Computer Location" -ne "NOT FOUND"))
##Trim the last computer if -OuOnly flag is set
{
$_."Computer Location"=$_."Computer
Location".Remove($_."Computer Location".LastIndexOf("/"))
}
Return $_
}
}

########### Job starts to query replica domain controllers #############
$result=@()
$RemoteJob=@()
## Make array of remote jobs

$DomainControllers = (Get-ADDomainController -Filter { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $false}).Name
############### Start the Local Job and Remote Job to find the event id ################
$LocalJobExists=0
If ($DomainControllers -contains $(hostname))
## Check if the computer running the script is Domain Controller itself
{
$LocalJob = Start-Job -scriptblock $read_log -ArgumentList
$MaxEvent,$OuOnly,$Domain;$LocalJobExists=1 ## If so, start job to query local domain controller
}

$DomainControllers | where {$_ -ne $(hostname)} | foreach {
## Start remote jobs on everydomain controller
$RemoteJob+= Invoke-Command -ComputerName $_ -ScriptBlock
$read_log -ArgumentList $MaxEvent,$OuOnly,$Domain -AsJob
}

If ($LocalJobExists)
{
$result = $LocalJob | Wait-Job | Receive-Job; Remove-Job $LocalJob
## If the computer running the script is not a domain controller(RSAT is installed), then all jobs will be remote jobs
}

$RemoteJob | foreach { $result+=$_ | Wait-Job | Receive-Job ;
Remove-Job $_} ## Wait and Receive remote jobs on each remote DC and add to Local job result

If ($LastLogonOnly)
{
$result | Sort-Object "LoggedOn Time" -Descending | Group-Object User | foreach { $_ | Select -ExpandProperty Group | select * -First 1 -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName } ## the Last LoggedOn time of Each User
}
else
{
$result | Sort-Object "LoggedOn Time" -Descending | Select * -ExcludeProperty PsComputerName,RunSpaceID,PsShowComputerName ## Normal Results
}

Explorer Active Directory auditing et rapport avec ADAudit Plus.

  •  
  •  
  •  
  • En cliquant sur ' Planifiez une démo personnalisée' vous acceptez le traitement des données personnelles conformément aux politique de confidentialité.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing