Sign up to save your podcasts
Or
Share #24: Extracting Last Logon Times from Active Directory using Powershell
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
#24: Extracting Last Logon Times from Active Directory using Powershell
A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that.
While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema!
Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry.
Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for.
In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works!
The source code for this script can be obtained here: http://it-audit.sans.org/blog/2012/03/05/identifying-inactive-and-unnecessary-user-accounts-in-active-directory-with-powershell
View all episodes
A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that.
While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema!
Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry.
Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for.
In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works!
The source code for this script can be obtained here: http://it-audit.sans.org/blog/2012/03/05/identifying-inactive-and-unnecessary-user-accounts-in-active-directory-with-powershell