This How-to will help you create automatic reports about created user accounts in domain and send them to an e-mail using PowerShell. Additionally, we will compare this auditing method with the same operation in Netwrix Auditor.
Let’s get started.
Test a simple filter
First, we need to get a simple overview of how it works, basically we need to filter security log in order to find a log with a relevant ID: in our case it will be 4720, so we run a command in PowerShell:
Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720}
Specify the information
As you can see, we got a message which tells that an account was created, but we don’t know what account and who created it. Let’s specify this information.
We need to filter the log, so we need to select the needed attributes. Let’s do that using the following PowerShell command:
Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account Creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.’#text’}}}
Add “send to e-mail” option
Let’s get the needed info in a report and send it to an e-mail. In order to do that, we need to use this script.
Test the script
Save this script with .ps1 extension and drag the file to PowerShell console for testing. After that you will receive a message in your mailbox. (If the script does not work, you probably need to run this command first: Set-ExecutionPolicy Unrestricted and type Y after that).
Check the sender info
Great! You got the message! But pay attention to the sender, it should be a very restricted account, because its password is not encrypted in the script.
Trigger settings in Task Scheduler
Now we need to trigger this script after each account creation, and the task scheduler will help us with that. Open Task Scheduler, create new schedule, give it a name and go to the triggers tab. Let’s create a trigger with the following options:
a. begin the task on an event
b. log – security
c. Source – Blank
d. EventID – 4720
Action settings in Task Scheduler
Go to the Actions Tab. Let’s create an action with the following parameters:
a. Action – Start a program
b. Program script: PowerShell
c. Add arguments (optional): -File “file path to our script”
Final step
Create a test AD account and see how the script performs.
Done! Now when a user in your domain is created, you will get a report to your e-mail about that within seconds.
As you can see this is not an easy and flexible solution for Active Directory audit. Now let’s compare this with the same operation in Netwrix Auditor.
Netwrix Auditor for Active Directory Installation
Download free trial here. Follow these installation instructions.
Netwrix Auditor for Active Directory Configuration
Run Netwrix Auditor, click on “Active Directory” tile.
Click “Next”.
Enter the domain name you want to audit. Specify the account with domain admin rights for data collection.
Check the SQL server settings, if everything is correct – click Next, otherwise go to “Settings” > “Reports” and set up SQL server there.
Enable state in time reports and click “Next”.
Enable Lightweight agents and click “Next”.
Select Active Directory as audited system and click “Next”.
Add e-mail address(es) which will receive reports from Netwrix Auditor.
Configure real-time alerts depending on your needs.
Click “Finish”.
Data collection launch
Run Netwrix Auditor, expand “Managed Objects” > click on your domain name > click “Run” button.
New User Accounts Report
Run Netwrix Auditor > Managed Objects > Your.domain.name > Active Directory > Reports > AD Change Tracking > User Accounts > “New User Accounts” report.
Specify the period for the report and click “View Report” button
You can subscribe to receive this report per e-mail every day.
So we did exactly the same as in the PowerShell script above using Netwrix Auditor for Active Directory solution. As you can see, it is easier, more informative and convenient to use. Plus it has a lot of other reports and real time alerts that will be very useful.
