Security Monitoring: Discover Admin Accounts

Security.Monitoring.AdminAccountDiscovery (Discovery)

This discovery, once enabled will discover all admin accounts. NOTE: Enable for only one machine and enable on a machine that has the AD PowerShell Module installed.

Element properties:

Target	Microsoft.Windows.Computer
Enabled	False
Frequency	86400
Remotable	False

Object Discovery Details:

Discovered Classes and their attribuets:
Security.Monitoring.AdminAccounts DistinguishedName Enabled Name SAMAccountName UPN

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.TimedPowerShell.DiscoveryProvider	Default

Source Code:

<Discovery ID="Security.Monitoring.AdminAccountDiscovery" Target="Windows!Microsoft.Windows.Computer" Enabled="false" ConfirmDelivery="false" Remotable="true" Priority="Normal">

  <Category>Discovery</Category>

  <DiscoveryTypes>

    <DiscoveryClass TypeID="Security.Monitoring.AdminAccounts">

      <Property TypeID="Security.Monitoring.AdminAccounts" PropertyID="DistinguishedName"/>

      <Property TypeID="Security.Monitoring.AdminAccounts" PropertyID="Enabled"/>

      <Property TypeID="Security.Monitoring.AdminAccounts" PropertyID="Name"/>

      <Property TypeID="Security.Monitoring.AdminAccounts" PropertyID="SAMAccountName"/>

      <Property TypeID="Security.Monitoring.AdminAccounts" PropertyID="UPN"/>

    </DiscoveryClass>

  </DiscoveryTypes>

  <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.TimedPowerShell.DiscoveryProvider">

    <IntervalSeconds>86400</IntervalSeconds>

    <SyncTime/>

    <ScriptName>DiscoverAdminAccounts.PS1</ScriptName>

    <ScriptBody><Script>param($sourceId,$managedEntityId,$computerName)

#Constants used for event logging

$SCRIPT_NAME			= 'DiscoverWriteableLocations.ps1'

$EVENT_LEVEL_ERROR 		= 1

$EVENT_LEVEL_WARNING 	= 2

$EVENT_LEVEL_INFO 		= 4



$SCRIPT_STARTED			= 811 #These are event IDs you are creating for logging.

$CLASS_CREATED			= 812

$SCRIPT_ENDED			= 815



function Log-DebugEvent

{

	param($eventNo,$message)



	$message = "`n" + $message

	if ($debug = $true)

	{

    	$api.LogScriptEvent($SCRIPT_NAME,$eventNo,$EVENT_LEVEL_INFO,$message)

	}

}

$api = New-Object -comObject 'MOM.ScriptAPI'

$discoveryData = $api.CreateDiscoveryData(0, $sourceId, $managedEntityId)



$message =	'Script started' + "`n" + `

			'Source ID: ' + $sourceId + "`n" + `

			'Managed Entity ID: ' + $managedEntityId + "`n" + `

			'Computer Name: ' + $computerName 

Log-DebugEvent $SCRIPT_STARTED $message #Will run whether there's a debug or not



# Verify AD module installed

$ADModule = "ActiveDirectory"

if (Get-Module -ListAvailable -Name $ADModule)

	{ 

	#Write-Host -f green "Active Directory Module exists"

	Add-PSSnapin $ADModule -ErrorAction SilentlyContinue

	$ErrorActionPreference = "SilentlyContinue"

 	} 

Else

	{ 

	#Write-Host -f red "Active Directory Module does not exist"

	$message = 'Active Directory module NOT loaded on $computerName '

	Log-DebugEvent $SCRIPT_ERROR $EVENT_LEVEL_ERROR $message

	}



$AdminUsers = Get-ADUser -Filter {(AdminCount -eq 1)}

foreach ($user in $AdminUsers)

{

$instance = $discoveryData.CreateClassInstance("$MPElement[Name='Security.Monitoring.AdminAccounts']$")

$instance.AddProperty("$MPElement[Name='Security.Monitoring.AdminAccounts']/DistinguishedName$", $user.DistinguishedName)

$instance.AddProperty("$MPElement[Name='Security.Monitoring.AdminAccounts']/Enabled$", $user.Enabled)

$instance.AddProperty("$MPElement[Name='Security.Monitoring.AdminAccounts']/Name$", $user.Name)

$instance.AddProperty("$MPElement[Name='Security.Monitoring.AdminAccounts']/SAMAccountName$", $user.SamAccountName)

$instance.AddProperty("$MPElement[Name='Security.Monitoring.AdminAccounts']/UPN$", $user.UserPrincipalName)

					 $discoveryData.AddInstance($instance)

						$message =	'Created' + $currfile + 'Service class' + "`n" + `

						'Computer Name: ' + $computerName + "`n"

					Log-DebugEvent $CLASS_CREATED $message

}

Log-DebugEvent -eventNo $SCRIPT_ENDED -$message

#Return the discovery data.

$discoveryData</Script></ScriptBody>

    <Parameters>

      <Parameter>

        <Name>sourceID</Name>

        <Value>$MPElement$</Value>

      </Parameter>

      <Parameter>

        <Name>managedEntityID</Name>

        <Value>$Target/Id$</Value>

      </Parameter>

      <Parameter>

        <Name>computerName</Name>

        <Value>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>

      </Parameter>

    </Parameters>

    <TimeoutSeconds>300</TimeoutSeconds>

  </DataSource>

</Discovery>