Domain Auditing for Microsoft AD/GP

This post is brought to you as short and sweet as possible. The following is written to provide guidance and transparency for those seeking out simplistic answers to complex compliance requirements. With expensive paid solutions such at Netwrix requiring setup time and hardware requirements. I'm here to tell you there's a far better way of doing things. With a little research and some scripting skills anyone can check this off and pay attention to their environment proactively. AD is a common standard for most if not all corporations for a reason. It works, it logs events and provides vision into what occurs within any domain network. This guide simply requires PowerShell for even parsing and reporting purposes. It's a common and well respected scripting language that runs across all Windows OS versions.

I'll do my best to describe and lead you into using the following repositories for good reason. Windows is a beast some don't fully comprehend, AD is a collection of computer and user objects. GP is simply how you define standards across either OU (Organizational Units) which are groups of machines or users within your network. You may ask, "why does this matter at all to me?". Well, companies design specific solutions for you to use and charge an arm and a leg because having vision here in critical to passing any standard of compliance. Aside from having a full inventory and security solutions at your finger tips you also need to be able to account for how you perform enforcement of standards. Nearly every aspect of Windows can be drilled into from registry keys, control panel options and even white listing applications is controlled by using Group Policy standards.

This is gonna cover change reporting and initial footholds for getting a grasp on domains you engineer/administer. When using this, consider what standards you're expected to uphold. Whether PCI, SOC or HIPAA this is important as each varies and requirements differ for each. I'll share with you functions and repos that generate reports in an easy manner you can grasp.

As far as simple outputs for GP you can use the cmdlet Get-GPOReport which runs native to PowerShell. Switches and calls can be found here:

https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gporeport?view=win10-ps

This function exports what you'd normally see in Group Policy Management on a Domain Admin level and makes it easy to decipher what's applied and how for each policy specified. You can choose to target one policy or output all within a given domain.

For something simple in AD and to report all objects take a look at Get-ADObject here:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adobject?view=win10-ps

There are plenty of ways to specify exactly what you're looking for. I don't find this to be as effective as having something like a full suite inventory tool, but it does the trick none the less.

Once you have an idea of what you're looking at and where it's located it's time to take a deeper dive into what's happening on your Domain Controller. This server often hosts things like AD, DNS, DHCP and Group Policy. It's a referred to as a Domain Controller because everything on your domain passes through to discover what's going where/why and if it's approved to take action. Network/Rules/Object creation takes place here. If you're looking to connect via another machine on the network you can take advantage of Remote Server Administration Tools which can be found here:

https://www.microsoft.com/en-us/download/details.aspx?id=45520

You can also enable this in the "Turn Windows Features on or Off" function of your Windows desktop OS. Cloud hosted solutions such as AWS Directory Service allow you to connect the same way you would with a full suite Windows Domain Controller. This often provides less overhead as the security/OS layer is hosted for the client. You don't need to patch or maintain another instance of Windows as a result. For more information see:

https://aws.amazon.com/directoryservice/

Lets get into actually reporting the events that occur and parsing them for your domain environment. There's a really nice repository known as PSWinReporting:

https://github.com/EvotecIT/PSWinReporting

This is essentially a full suite pre-configured repository to allow reports to be generated from your domain joined machine after installing a couple modules:

https://www.powershellgallery.com/packages/PSWinReporting/1.8.1.1

https://www.powershellgallery.com/packages/PSWinReportingV2/2.0.10

Download the repo and install the modules above using commands provided on each page. You can then use the sample given here:

https://evotec.xyz/hub/scripts/pswinreporting-powershell-module/

This script is a good baseline but should be tweaked to your needs. Please research event IDs and find out what's required to have eyes on. You can add events and remove as needed. The baseline script generates a report and outputs to the C:\UserName\%AppData%\Local\Temp directory by default. The given path can be changed via variables given at the top of a script and should be changed to fit needs as well as to provide valid paths to a better location for safe keeping.

Now onto the automation of the process. The script contains SMTP variables where you simply specify an account to sent as over your mail server. You can have this kick off and email reports how you choose. By running the .ps1 file provided at:

https://evotec.xyz/hub/scripts/pswinreporting-powershell-module/

If ran via a scheduled task this becomes something "powerful". I chose to copy this to a UNC path (\\dnsname\c$\reports) for safe keeping and auditing purposes, I also suggest you do the same. Hope this guide helps you gain insight into your environment and what occurs over a span of time. It's a good process for optimization and upkeep. Simply research outputs and find out why events are occurring and perform remediation.

Show Comments