Thursday, July 31, 2014

Poor man's IP to to Username, using Powershell & Domain Controller logs

This customer had many offices and needed to get rid of Windows XP machines.
Due to the lack of inventory and computer management, we were unable to know who were the people behind them!
Ping and remote access were shut off from the host so we couldn't gather information via WMI.

But the LastLogonTimeStamp was being updated for these computers which led us to believe they were still in use.
The solution I came up with : if someone was still using these XP machines, they were authenticating against the domain controllers, and a "logon event" was created with the source ip and the username.

Once you load the quick and dirty function called "Get-UserName-for_PC-by-DC-events (silly name sorry), run these 2 commands to get some results

Import-module ActiveDirectory
Get-ADComputer -Filter {Enabled -eq $true -and operatingsystem -like '*xp*'} -Properties IPv4Address | %{Get-UserName-for-PC-by-DC-events -DCname "DC01" -Ip $_.IPv4Address}

7/31/2014 1:18:33 PM  --  john.doe at this address -->  10.26.1.15  using  Kerberos


A nice enhancement would be to query all domain controllers.
Finally, your mileage may vary depending on how big your security logs are, how often they rotate and how often these XP users log on (you could run a scheduled task)
Function Get-UserName-for-PC-by-DC-events
{
  param(
        [Parameter(Mandatory=$True)]
        [string]$DCname,
        [Parameter(Mandatory=$True)]
        [string]$Ip
       )
    $xpathfilter = 'Event[System[EventID=4624] and EventData[Data[@Name="IpAddress"]="'+$ip+'"]]'

    Foreach ($event in get-winevent -ComputerName $DCname -LogName Security -FilterXPath $xpathfilter -MaxEvents 1)
    {
        Write-host $event.TimeCreated " -- " $event.Properties[5].Value "at this address --> " $event.Properties[18].Value " using " $event.Properties[9].Value

    }
}

No comments:

Post a Comment