Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 7:20 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: New audit Script
PostPosted: Tue Apr 10, 2012 8:08 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
I've done up another version of the audit_windows script.
If a PC is attempted to audit but it cannot be contacted (or firewall is on or whatever), assuming the PC is on a domain, the audit script asks the domain for any information it can give about the PC. This is designed to be called from the audit_domain script, but for testing we can call it directly.

To test, could I ask you run the attached script against a machine you know is not powered on and that is joined to the same domain as your PC.

The debug level is set to 2, so you should see some useful output. It will NOT attempt to send the data to the audit server.

Items of note are:
ldap = ""
This should normally be left as is. If an ldap variable is passed via the command line, this will be used. If it is not, the local ldap settings will be used. Normally the ldap attribute will be passed by the audit_domain script.
No need to set this for testing.

ldap_seen_days = "0"
You can set this to only return info from AD if a system has been seen by AD in the last XX days. IE - we have systems that are in AD but have been disposed of and not seen by AD in years (don't ask). We don't care about these, but they will be returned by the audit_domain script.

ldap_seen_date = "2000-01-01"
This is very similar to the attribute above. If the system has been seen by AD since this date then it will be returned. If it has not been seen, no AD details are returned.

So, to test simply run "cscript audit_windows.vbs COMPUTERNAME" against a computer that is on the domain, but turned off. You should see the XML dumped to the console. This contains useful (by extremely limited) taken from Active Directory.

You can also try altering the ldap_seen_ attributes and see if it returns as expected.

This particular feature is useful when you have systems that are on and off the network (think laptops) and that don't have logon scripts.

Anyway, have at it and post your comments (fingers crossed)!
:)


Attachments:
File comment: rename to audit_windows.vbs
audit_windows.txt [251.18 KiB]
Downloaded 431 times

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: New audit Script
PostPosted: Wed Apr 11, 2012 2:12 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Works here. Is nslookup output internationalized in Windows? Parsing it's output might fail on other Windows language versions if so.

[code]
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

starting audit - computer1
Problem authenticating (4) to computer1
Error Number:462
Error Description:The remote server machine does not exist or is unavailable
<?xml version="1.0" encoding="UTF-8"?>
<computers>
<computer>
<hostname>computer1</hostname>
<man_ip_address>192.168.0.108</man_ip_address>
<domain>domain.com</domain>
<type>system</type>
<icon>windows_7</icon>
<os_group>windows</os_group>
<os_family>Windows 7</os_family>
<os_name>Microsoft Windows 7 Enterprise</os_name>
<windows_active_directory_ou>ou=shared computers,ou=users and computers,ou=stuff,dc=domain,dc=com<windows_active_directory_ou>
<last_seen>2012-04-06</last_seen>
<last_seen_by>active directory</last_seen_by>
</computer>
</computers>

LDAP Seen Days: 0
LDAP Actual Days: 4
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-06
PC not able to be audited but seen in Active Directory on 2012-04-06.
As this is after 2000-01-01, using AD details for audit.


[Output snip]
LDAP Seen Days: 0
LDAP Actual Days: 4
LDAP Seen Date: 2012-04-07
LDAP Actual Date: 2012-04-06
PC not able to be audited and last seen by Active Directory on 2012-04-06.
As this is before 2012-04-07, no audit recorded.


[Output snip]
LDAP Seen Days: 1
LDAP Actual Days: 4
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-06
PC not able to be audited but seen in Active Directory on 2012-04-06.
As this is after 2000-01-01, using AD details for audit.
[/code]


Top
 Profile  
Reply with quote  
 Post subject: Re: New audit Script
PostPosted: Wed Apr 11, 2012 11:52 pm 
Offline
Helper

Joined: Tue Jul 25, 2006 2:33 am
Posts: 83
Location: Hampshire, UK
Same success as jpa here; handled the offline laptop with no problem.
[code]starting audit - lapt-006
Problem authenticating (4) to lapt-006
Error Number:462
Error Description:The remote server machine does not exist or is unavailable
<?xml version="1.0" encoding="UTF-8"?>
<computers>
<computer>
<hostname>lapt-006</hostname>
<man_ip_address>192.168.99.99</man_ip_address>
<domain>mydomain.local</domain>
<type>system</type>
<icon>windows_xp</icon>
<os_group>windows</os_group>
<os_family>Windows XP</os_family>
<os_name>Microsoft Windows XP Professional</os_name>
<windows_active_directory_ou>cn=computers,dc=mydomain,dc=local
<windows_active_directory_ou>
<last_seen>2012-04-04</last_seen>
<last_seen_by>active directory</last_seen_by>
</computer>
</computers>

LDAP Seen Days: 0
LDAP Actual Days: 6
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-04
PC not able to be audited but seen in Active Directory on 2012-04-04.
As this is after 2000-01-01, using AD details for audit.[/code]

John

_________________
OA environment:
OA Server: Ubuntu 10.04LTS
1 Windows 2008R2 Server
4 Windows 2003 Servers
20 Windows XP workstations
1 Windows 7 workstation
2 Ubuntu 11.10 servers
Misc other networked items


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group