Manjish Posted March 12, 2009 Share Posted March 12, 2009 Guys, I was trying to develop a script where I can be notified if a user account password is changed.. I have a test bed, of 50 computers. I would like to create a log when any of these m/c s any user account's password is changed.. Just a simple log, with time and date, and the computer name and account name whose password has been changed.. Can anyone please point me in the right direction.. Thanks [font="Garamond"]Manjish Naik[/font]Engineer, Global Services - QPSHoneywell Automation India LimitedE-mail - Manjish.Naik@honeywell.com Link to comment Share on other sites More sharing options...
Manjish Posted March 13, 2009 Author Share Posted March 13, 2009 up please.. any ideas? [font="Garamond"]Manjish Naik[/font]Engineer, Global Services - QPSHoneywell Automation India LimitedE-mail - Manjish.Naik@honeywell.com Link to comment Share on other sites More sharing options...
MrMitchell Posted March 13, 2009 Share Posted March 13, 2009 Can you describe a little bit about the environment in which this script will run? For instance are you a Domain admin and is it going to run on a domain/Windows server machine? Seems like Windows already does something like that... Does it need to log to a central log file or will each machine have its own log? Link to comment Share on other sites More sharing options...
avery Posted March 13, 2009 Share Posted March 13, 2009 Can you describe a little bit about the environment in which this script will run?For instance are you a Domain admin and is it going to run on a domain/Windows server machine? Seems like Windows already does something like that...Does it need to log to a central log file or will each machine have its own log?You could parse the windows audit log for the even once the security policy is configured to capture it.I have to audit this criteria for my Gov req policies.eventID 627Change Password Attempt: Target Account Name: avery Target Domain: KCYF82R Target Account ID: KCYF82R\avery Caller User Name: avery Caller Domain: KCYF82R Caller Logon ID: (0x0,0x1605C) Privileges: - www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org Link to comment Share on other sites More sharing options...
MrMitchell Posted March 14, 2009 Share Posted March 14, 2009 (edited) Running this from a command prompt will dump event log for you...of course there are plenty of options to choose when running it. This one works best for me when it came to parsing it out: C:\windows\system32\cscript.exe C:\WINDOWS\system32\eventquery.vbs /L Security /FO CSV /NH /FI "ID eq 627" /V>"C:\path with spaces\eventlogdump.txt" I'm not very good with using streams, or even file I/O, or even scripting in general...LOL but anyway I wrote a sample script that maybe you could work off of. It will basically: Dump the event log matching ID 627 to a file in the same directory the script is runningOpen that file and read it line by lineAfter reading each line, parse it out, parse out the last element even morePick out the stuff you want and create a line of output separated by commasOutput that newly created line to the output txt/log fileScript ends when the event log dump has no more lines expandcollapse popup;Just a simple log, with time and date, and the computer name and account name whose password has been changed.. Const $LOGFILEIN = @ScriptDir & "\Audit.log" Const $LOGFILEOUT = @ScriptDir & "\Output.log" Dim $hLOGFILEIN, $hLOGFILEOUT ;handles for the input and output files Dim $tmp Dim $cmd = 'C:\windows\system32\cscript.exe C:\WINDOWS\system32\eventquery.vbs /L Security /FO CSV /NH /FI "ID eq 627" /V>"' & $LOGFILEIN & '"' Dim $line = 8 ;Start reading output file at line 8 ;Start main script logic DumpEventLog() $hLOGFILEIN = FileOpen($LOGFILEIN, 0) $hLOGFILEOUT = FileOpen($LOGFILEOUT, 1) While 1 $tmp = FileReadLine($hLOGFILEIN, $line) If @error = -1 Then ExitLoop Else ParseLine($tmp) $line += 1 EndIf WEnd FileClose($hLOGFILEIN) FileClose($LOGFILEOUT) ;End main script logic Exit Func DumpEventLog() RunWait(@ComSpec & " /c " & $cmd, @SystemDir, @SW_SHOW) EndFunc Func ParseLine($theline) Dim $tmparray, $descarray Dim $nextlineout ;Used to put together the next line for the output file Dim $type, $event, $datetime, $source, $computername, $category, $user, $desc Dim $TargetAccountName, $TargetDomain, $TargetAccountID, $CallerUserName, $CallerDomain, $CallerLogonID, $Privileges $tmparray = StringSplit($theline, ",") If $tmparray[0] > 1 Then $type = $tmparray[1] ;"Audit Success" (or Failure) $event = $tmparray[2] ;"627" (static) $datetime = $tmparray[3] ;(m)m/(d)d/yyyy (h)h:(m)m:ss AM/PM (dynamic) $source = $tmparray[4] ;"Security" (static) $computername = $tmparray[5] ;Computer where the event was logged (dynamic) $category = $tmparray[6] ;"Account Management" (static) $user = $tmparray[7] ;DOMAIN\User (dynamic) $desc = $tmparray[8] ;Entire Description is tab separated, need to break it down more below... $descarray = StringSplit($desc, @TAB) If $descarray[0] > 1 Then $TargetAccountName = $descarray[3] ; $TargetDomain = $descarray[5] ; $TargetAccountID = $descarray[7] ;DOMAIN\User - Interested in this one (I think??) $CallerUserName = $descarray[9] ; $CallerDomain = $descarray[11] ; $CallerLogonID = $descarray[13] ; ;$Privileges = $descarray[14] ; $nextlineout = $datetime & "," & $type & "," & $computername & "," & $TargetAccountID FileWriteLine($hLOGFILEOUT, $nextlineout) EndIf EndIf EndFunc It's a quick and dirty version that still needs some error-checking, duplicate line checking for the output...etc. I hope it will work for you as-is so you can at least get an idea of what it does. Edited March 14, 2009 by MrMitchell Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now