PowerShell Windows

Safely change the Administrator Password

In one of my current projects, the customer wants to change the password of the Active Directory built-in Administrator account. This account was used several years for setting up tasks, running services and all kinds of things. To ensure that all major business applications will not be affected by that change, we needed to identify all processes and persons using the Administrator account and create separate service accounts for these applications.

I created a PowerShell script, which the customer executed on a regular basis on all of their domain controllers. That script will parse the security event log if any authentication with the specified account happened. The script will output the IP address and the source port which used the account to authenticate. With that information we were able to identify all applications an services to ensure a smooth transition to the new secure password.

######################################################################
## (C) 2017 Michael Miklis (michaelmiklis.de)
##
##
## Filename:      Get-LogonFromSecurityLog.ps1
##
## Version:       1.0
##
## Release:       Final
##
## Requirements:  -none-
##
## Description:   Parses the security eventlog for logons of a
##                specific account.
##
## This script is provided 'AS-IS'.  The author does not provide
## any guarantee or warranty, stated or implied.  Use at your own
## risk. You are free to reproduce, copy & modify the code, but
## please give the author credit.
##
####################################################################
Set-PSDebug -Strict
Set-StrictMode -Version latest
  
 
function Get-LogonFromSecurityLog {
    <#
    .SYNOPSIS
    Parses the security eventlog for logons of a specific account
  
    .DESCRIPTION
    The Get-LogonFromSecurityLog CMDlet parses all security eventlog
    messages for specific logon events. It returns the client IP and
    source port from where the logon event was triggered.
  
    .PARAMETER LastHours
    Only parse events not older than X Hours
  
    .PARAMETER Username
    Username to search for
  
    .EXAMPLE
    Get-LogonFromSecurityLog -Username "Administrator" -LastHours 2
 
    #>
      
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$Username,
        [parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]$LastHours = 0
    )
 

    if ($LastHours -gt 0)
    {
        $events = Get-EventLog -log Security -After (Get-Date).AddHours(- $LastHours)
    }

    else
    {
        $events = Get-EventLog -log Security
    }
 
    # loop through each found event
    foreach($event in $events)
    {
        If (($event.EventID -eq 4624) -And ($event.message.Contains($Username)))
        {

           # extract the source ip address and port
           #
           # NOTE: only works on english language systems
           # on other languages replace source network
           # address and source port.
           $client = $event.message.Substring($event.message.IndexOf("Source Network Address:"), 60)
      
           $source = $client.Replace("Quellnetzwerkadresse: ", "").Replace("        Source Port:               ", "").Split("`n")
      
           $ip = $source[0]
           $port = $source[1]
      

           # print source ip and port to console
           "$ip;$port";
        }
    }
 
}

Get-LogonFromSecurityLog -Username "Administrator" -LastHours 2
You may also like
SESSIONID.EXE – Query Terminalserver Session ID
VBScript: Ping Function
Using Windows certificate store in Mozilla Firefox

Leave Your Comment

Your Comment*

Your Name*
Your Webpage