Notification when User account's password has been changed

[Manjish]

Guys,

I was trying to develop a script where I can be notified if a user account password is changed..

I have a test bed, of 50 computers.

I would like to create a log when any of these m/c s any user account's password is changed..

Just a simple log, with time and date, and the computer name and account name whose password has been changed..

Can anyone please point me in the right direction..

Thanks

[Manjish]

up please.. any ideas?

[MrMitchell]

Can you describe a little bit about the environment in which this script will run?

For instance are you a Domain admin and is it going to run on a domain/Windows server machine? Seems like Windows already does something like that...

Does it need to log to a central log file or will each machine have its own log?

[avery]

Can you describe a little bit about the environment in which this script will run?

For instance are you a Domain admin and is it going to run on a domain/Windows server machine? Seems like Windows already does something like that...

Does it need to log to a central log file or will each machine have its own log?

You could parse the windows audit log for the even once the security policy is configured to capture it.

I have to audit this criteria for my Gov req policies.

eventID 627

Change Password Attempt:

Target Account Name: avery

Target Domain: KCYF82R

Target Account ID: KCYF82R\avery

Caller User Name: avery

Caller Domain: KCYF82R

Caller Logon ID: (0x0,0x1605C)

Privileges: -

[MrMitchell]

Running this from a command prompt will dump event log for you...of course there are plenty of options to choose when running it. This one works best for me when it came to parsing it out:

C:\windows\system32\cscript.exe C:\WINDOWS\system32\eventquery.vbs /L Security /FO CSV /NH /FI "ID eq 627" /V>"C:\path with spaces\eventlogdump.txt"

I'm not very good with using streams, or even file I/O, or even scripting in general...LOL but anyway I wrote a sample script that maybe you could work off of.

It will basically:

• Dump the event log matching ID 627 to a file in the same directory the script is running
• Open that file and read it line by line
• After reading each line, parse it out, parse out the last element even more
• Pick out the stuff you want and create a line of output separated by commas
• Output that newly created line to the output txt/log file
• Script ends when the event log dump has no more lines

expandcollapse popup

;Just a simple log, with time and date, and the computer name and account name whose password has been changed..

Const $LOGFILEIN = @ScriptDir & "\Audit.log"
Const $LOGFILEOUT = @ScriptDir & "\Output.log"

Dim $hLOGFILEIN, $hLOGFILEOUT           ;handles for the input and output files
Dim $tmp
Dim $cmd = 'C:\windows\system32\cscript.exe C:\WINDOWS\system32\eventquery.vbs /L Security /FO CSV /NH /FI "ID eq 627" /V>"' & $LOGFILEIN & '"'

Dim $line = 8                           ;Start reading output file at line 8

;Start main script logic
DumpEventLog()

$hLOGFILEIN = FileOpen($LOGFILEIN, 0)       
$hLOGFILEOUT = FileOpen($LOGFILEOUT, 1)     

While 1
    $tmp = FileReadLine($hLOGFILEIN, $line)
    If @error = -1 Then
        ExitLoop
    Else
        ParseLine($tmp)
        $line += 1
    EndIf
WEnd

FileClose($hLOGFILEIN)
FileClose($LOGFILEOUT)
;End main script logic
Exit

Func DumpEventLog()
    RunWait(@ComSpec & " /c " & $cmd, @SystemDir, @SW_SHOW)
EndFunc

Func ParseLine($theline)
    Dim $tmparray, $descarray
    Dim $nextlineout                    ;Used to put together the next line for the output file
    Dim $type, $event, $datetime, $source, $computername, $category, $user, $desc
    Dim $TargetAccountName, $TargetDomain, $TargetAccountID, $CallerUserName, $CallerDomain, $CallerLogonID, $Privileges
    
    $tmparray = StringSplit($theline, ",")
    
    If $tmparray[0] > 1 Then
        $type = $tmparray[1]            ;"Audit Success" (or Failure)
        $event = $tmparray[2]           ;"627" (static)
        $datetime = $tmparray[3]        ;(m)m/(d)d/yyyy (h)h:(m)m:ss AM/PM (dynamic)
        $source = $tmparray[4]          ;"Security" (static)
        $computername = $tmparray[5]    ;Computer where the event was logged (dynamic)
        $category = $tmparray[6]        ;"Account Management" (static)
        $user = $tmparray[7]            ;DOMAIN\User (dynamic)
        $desc = $tmparray[8]            ;Entire Description is tab separated, need to break it down more below... 
    
        $descarray = StringSplit($desc, @TAB)
    
        If $descarray[0] > 1 Then
            
            $TargetAccountName = $descarray[3]  ;
            $TargetDomain = $descarray[5]       ;
            $TargetAccountID = $descarray[7]    ;DOMAIN\User - Interested in this one (I think??)
            $CallerUserName = $descarray[9]     ;
            $CallerDomain = $descarray[11]      ;
            $CallerLogonID = $descarray[13]     ;
            ;$Privileges = $descarray[14]       ;

            $nextlineout = $datetime & "," & $type & "," & $computername & "," & $TargetAccountID

            FileWriteLine($hLOGFILEOUT, $nextlineout)
        EndIf
    EndIf
EndFunc

It's a quick and dirty version that still needs some error-checking, duplicate line checking for the output...etc. I hope it will work for you as-is so you can at least get an idea of what it does.

Edited March 14, 2009 by MrMitchell