Watching the admins

Wearing my “Engineer” hat today.  Wanted to alert on Windows admin events, particularly for situations where users are added to the Domain Admins group.  As it turns out, there is a good resource for setting up event log triggers for the built-in Windows task-scheduler: http://woshub.com/windows-event-triggers/

This applies to account-lockouts, which are great, but I modified it a bit to look for what I wanted.  Turns out the event I was looking for was 4728.  You can begin by finding the event you want in the event log and right-clicking then choosing “Attach Task To This Event . . .” (at least in 2008R2).

From there you can follow the prompts to create some nice alerting around this.

[description of how to set up the task]

Caveats to look out for:

  • Once created, this shows up in “Event Viewer Tasks”, not the root of the task scheduler library.
  • If you use a normal SMTP server for email alerting, it may not work.  It really seems to want to talk to an exchange server, or at least something that’s going to be able to recognize and authenticate the user that is trying to send the email.
  • It’s best to change the properties of this task to “Run whether user is logged on or not” and “run with highest privileges” in the tasks “general” tab.  I used a service account with domain admin privs to run this task, but that’s probably not optimal.  It’s probably best to create a separate service account with exactly the privileges you need to run it.  To me, those would include rights to read the event log, run scheduled tasks, and write to an area on the C:\ (to write out the attachment info).

But let’s improve this a bit:  If you set it up as above, and just leave it that way, you’ll end up getting alerts for all sorts of group-adds.  What we need is to filter for the associated event ID AND the the Domain Admins group.  As it turns out the best way to do this is to use filtering to peer into the event-log subject area for TargetSid for Domain Admins so we see group adds for only that group.  This will require we use x-path xml language to get just the right filtering, then use a batch file to nab that event log entry immediately once created.

I’m using an older 2008 server instance for testing, so the references here may be a bit dated, but here goes:

First we need to set up a domain user with the group membership of: “Domain Admins”

Open ADUC

Navigate to the OU or folder where you normally create your users.

Right click on the OU/Folder and choose “New” -> “User”

Fill in all the details, click next, and set the account to “User cannot change password”.

Once user is created, right-click on the user and choose properties.

Click on the “Member of” tab.

Add “Domain Admins”

Apply, Ok.

Note: Lesser privileges won’t work unfortunately.  As tested when a scheduled task is added for this, it will fail due to privileges including the “log on locally” privilege.  When you go to try to add that privilege, there’s a requirement for the user to be an admin on the machine (which makes sense since it’s a domain controller).

Set up user to log in as a scheduled task:

In GPMC: Computer configuration -> Policies -> Windows settings -> Security settings -> local policies ->

Set up the scripts:

Log into your domain controller as a Domain Admin and create a folder called “Scripts” in your C:\ Drive: C:\Scripts

Now open the “scripts” folder and create a new file called “evtquery.cmd”.  Windows may complain about the extension.  Make sure your folder view settings are set to show extensions.

In that file put the following (use notepad or any other non-formatting text editor):

del c:\script\evtquery.txt
wevtutil qe Security /q:”*[System[(EventID=4728)]]” /f:text /rd:true /c:1 > c:\script\evt.txt

Save that and close.

Set up task:

In “Server Manager” click “Configuration” -> “Task Scheduler”

Right-click and choose “Create task…”

Give it a name like “Detect add to domain admin group” or something.

Click “Run whether user is logged on or not”

Click on “Change User or Group”

Choose your newly created user, click “ok”

Click “Run with highest privileges” checkbox.

Click the “Triggers” tab.

Click “New button”

Change “On schedule” to “On event” at the top of the “New trigger” task.

Click “Custom”

Click “New Event Filter”

Click “XML” tab, then click “Edit query manually”

“Yes” out the resultant warning it flashes.

Paste in the following:

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>
*[System[(EventID=4728)]]
and
*[EventData[Data[@Name=’TargetSid’] and Data=’S-1-5-21-1390067357-651377827-1606980848-512′]]
</Select>
</Query>
</QueryList>

Click “OK” to close that window, then click “OK” to close the “New trigger” window.

Now we have to tell the task what to do.

Click the “Actions” tab and click “New…” button.

Choose “Start a program” and type in: “C:\script\evtquery.cmd”  With the quotes.  Click “OK”.

click “New…” button.

Choose “Send an e-mail” from the drop-down.

For this, you should have an internal email relay server in-mind.  If you have an internal MS Exchange bridgehead, I find this works the best since there seems to be an authentication component to how this works which MS Exchange seems to be okay with whereas other SMTP relays don’t work with.

Fill in your email details as you like.  Something like:

From: “no-reply@yourdomain.com”

To: “youremail@yourdomain.com”

Subject: “User added to domain admins”

Text: “Check attachment for more details.”

Attachment: “C:\script\evt.txt”

SMTP server: your server address.

My advice is to create a test task configured to send email after this is finished to make sure your scheduled task will send emails ok without all the other configs.

Click “OK” to create the task, and supply the password for the user.

Right-click on the task and choose “run” and now add a test user to “domain  admins”.  Next, for test, add a user to another group.  You should get a “User added to domain admins” email only once.

Do this for all DCs in your environment.  If it helps, you can export Scheduled Tasks (this is beyond the scope of this article) and re-import them elsewhere.  There are all sorts of other interesting event IDs to alert on as well which can be covered by this method (account lockouts etc.) so you can adapt this to serve your needs.

Leave a Reply

Your email address will not be published. Required fields are marked *