<
#Administrator Test Script#>
$MailServer
=
"mailserver"
$Recipients
=
"some@one.com"
,
"any@body.com"
cd
"Path-to-Script..."
$Domaincontrollers
=
[system.directoryservices.activedirectory.domain]
::GetCurrentDomain() |
ForEach-Object
{
$_
.DomainControllers} |
ForEach-Object
{
$_
.Name}
$Errors
=@()
Foreach
(
$Domaincontroller
in
$DomainControllers
){
$Path
=
".\"
+
$Domaincontroller
+
".csv"
If
((
Test-Path
$Path
)
-eq
$False
){
Get-ADUser
Administrator
-Properties
*
-Server
$DomainController
| Select Enabled,LastBadPasswordAttempt,LastLogon,LastLogonDate,LastLogonTimeStamp,LockedOut,PasswordLastSet |
Export-CSV
-Delimiter
";"
-Path
$Path
}}
$CSV
= GCI
".\*"
-Include
*.csv
Foreach
(
$Item
in
$CSV
){
$StoredValues
=
Import-CSV
$Item
.FullName
-Delimiter
";"
$DC
=
$Item
.Name.Replace(
".csv"
,
''
)
Get-ADUser
Administrator
-Properties
*
-Server
$DC
| Select Enabled,LastBadPasswordAttempt,LastLogon,LastLogonDate,LastLogonTimeStamp,LockedOut,PasswordLastSet |
Export-CSV
-Delimiter
";"
-Path
".\Temp.csv"
$ActualValues
=
Import-CSV
".\Temp.csv"
-Delimiter
";"
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
Enabled)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"Enabled"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.Enabled+
";"
+
$StoredValues
.Enabled}
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
LastBadPasswordAttempt)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"LastBadPasswordAttempt"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.LastBadPasswordAttempt+
";"
+
$StoredValues
.LastBadPasswordAttempt}
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
LastLogon)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"LastLogon"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.LastLogon+
";"
+
$StoredValues
.LastLogon}
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
LastLogonTimeStamp)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"LastLogonTimeStamp"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.LastLogonTimeStamp+
";"
+
$StoredValues
.LastLogonTimeStamp}
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
LockedOut)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"LockedOut"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.LockedOut+
";"
+
$StoredValues
.LockedOut}
$CompareResult
=@(Compare
-ReferenceObject
$StoredValues
-DifferenceObject
$ActualValues
-Property
PasswordLastSet)
If
(
$CompareResult
-ne
$Null
){
$Errors
+=
"PasswordLastSet"
+
";"
+
"$DC"
+
";"
+
$ActualValues
.PasswordLastSet+
";"
+
$StoredValues
.PasswordLastSet}
Remove-Item
".\Temp.csv"
-Force
}
If
(
$Errors
.length
-ne
0){
$Body
=
"Er heeft een wijziging plaats gevonden op het account Administrator. De Fout/Fouten zijn:"
+
"`n`n"
Foreach
(
$item
in
$Errors
){
$Array
=
$Item
.Split(
";"
)
If
(
$Array
[0]
-Match
"Enabled"
){
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is de status van het account gewijzigd van Enabled: "
+
$Array
[3]+
" naar Enabled: "
+
$Array
[2]+
".`n"
}
If
(
$Array
[0]
-Match
"LastBadPasswordAttempt"
){
$Resultlist
= @()
$Eventlog
=@(
Get-EventLog
-LogName
Security
-ComputerName
$Array
[1] | ?{
$_
.entrytype
-eq
"FailureAudit"
-and
$_
.message
-match
"Administrator"
})
Foreach
(
$Event
in
$Eventlog
){
$Message
=
$Event
.message.Split(
"`n"
)
Foreach
(
$Line
in
$Message
){
If
(
$Line
-match
"Client Address:"
){
[String]
$Result
=
$Line
.replace(
"`t"
,
''
).Replace(
"Client Address:"
,
''
).Replace(
" "
,
''
).Replace(
"::ffff:"
,
''
)}}
$ReverseName
=
$Null
[string]
$ReverseName
=
[System.Net.Dns]
::GetHostbyAddress(
$Result
.Trim()).hostname
If
(
$ReverseName
-eq
$Null
){
$ReverseName
=
"Naam kon niet opgehaald worden"
}
$Value
=
"- IP-Adres: "
+(
$Result
.replace(
"`n"
,
''
)) +
" welke resolved naar $ReverseName`n"
$Resultlist
+=
$Value
}
$Resultlist
=
$Resultlist
| Sort
-Unique
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is er een BadPasswordAttempt uitgevoerd op "
+
$Array
[2]+
". De waarde was hiervoor: "
+
$Array
[3]+
". De attempts kwamen vanaf de volgende computer/Computers:`n`r"
$Body
=
$Body
+
$Resultlist
+
"`n`n"
}
If
(
$Array
[0]
-Match
"LastLogon"
){
$StoredValue
=
$Array
[3] ;
$StoredValue
=
[datetime]
::fromfiletime(
$StoredValue
) ;
$ActualValue
=
$Array
[2] ;
$ActualValue
=
[datetime]
::fromfiletime(
$ActualValue
) ;
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is de waarde van LastLogon gewijzigd van "
+
$StoredValue
+
" naar de waarde: "
+
$ActualValue
+
".`n"
}
If
(
$Array
[0]
-Match
"LastLogonTimeStamp"
){
$StoredValue
=
$Array
[3] ;
$StoredValue
=
[datetime]
::fromfiletime(
$StoredValue
) ;
$ActualValue
=
$Array
[2] ;
$ActualValue
=
[datetime]
::fromfiletime(
$ActualValue
) ;
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is de waarde van LastLogonTimeStamp gewijzigd van "
+
$StoredValue
+
" naar de waarde: "
+
$ActualValue
+
".`n"
}
If
(
$Array
[0]
-Match
"LockedOut"
){
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is de status van het account gewijzigd van LockedOut: "
+
$Array
[3]+
" naar LockedOut: "
+
$Array
[2]+
".`n"
}
If
(
$Array
[0]
-Match
"PasswordLastSet"
){
$Body
=
$Body
+
"Op de domaincontroller: "
+
$Array
[1]+
" is er een PasswordLastSet uitgevoerd op "
+
$Array
[2]+
". De waarde was hiervoor: "
+
$Array
[3]+
".`n"
}
}
Send-MailMessage
-From
"AdministratorRoles@Domain.com"
-Subject
"Er heeft een wijziging plaatsgevonden op het Administrator account"
-To
$Recipients
-Body
$Body
-SmtpServer
$MailServer
}
Foreach
(
$item
in
$CSV
){
Remove-item
$Item
-Force
}
Foreach
(
$Domaincontroller
in
$DomainControllers
){
$Path
=
".\"
+
$Domaincontroller
+
".csv"
Get-ADUser
Administrator
-Properties
*
-Server
$DomainController
| Select Enabled,LastBadPasswordAttempt,LastLogon,LastLogonDate,LastLogonTimeStamp,LockedOut,PasswordLastSet |
Export-CSV
-Delimiter
";"
-Path
$Path
}