As a network grows, it’s a good idea to keep tabs on the various administrator accounts you have deployed. If you have a common naming convention for these accounts, use the below script to help you know if an account is getting abused.

Copy and paste this script into notepad and save it as audit_adminlogons.ps1 .

This script will by default, check for accounts logged into in the last 7 days and it assumes the name starts with admin. If you prefix your admin accounts with something different, please adjust where it is commented in the script. You can also change how many days you want to search as commented in the script.

The script will save the results to a CSV named admin_logons_<date ran>.csv to the location where the script is running from.

# -----------------------------------------------------------------
# Audit Admin Logons
# Created by: Christopher Clai - www.syntaxbearror.io
# -----------------------------------------------------------------
# Version 1.0 (August 5th, 2019)
# -----------------------------------------------------------------
#
# Example of running the script:
# .\audit_adminlogons.ps1 
#
#
# ##### CHANGELOG ########
# Version 1.0
# 
#
#

Import-Module ActiveDirectory

# Replace admin with whatever common account prefix we are tracking.
$admname = "admin" + "*"

# Alter the negative number to how many days back you want to go.
$range = ((Get-Date).AddDays(-7)).Date

# -----
# DO NOT EDIT ANYTHING BELOW THIS LINE
# -----

$fnmod = Get-Date -Format "yyyymmdd"
$fname = "adminlogons_" + $fnmod + ".csv"

Get-ADUser -Filter {SamAccountName -like $admname -and LastLogonDate -ge $range} -Properties LastLogonDate | Export-CSV $fname -NoTypeInformation

Leave a Comment

Your email address will not be published.