Open-AudIT

Hi There,

New to OpenAudit so I'm gradually working my way around it but was wondering if some one could give me some advice.

I have it all set up on a CentOS VM (also running Nagios) and can happily run the scripts to remotely audit either single machines, or a list of machines.

What I would like to do though is to have it so that the script runs every time either a PC starts up (preferably) or a user logs in and the obvious way would seem to be to use either the Computer Startup/Shutdown GPO or the User loggon/loggoff GPO. I've tried plonking the same script that works for running an audit on the local PC into a Computer Startup GPO and have applied that to an appropriate OU but nothing seems to happen, but I not sure why or where I might find any logs to help me troubleshoot.

Do I need to specify any credentials in the script maybe? Or will it not work this way and I'll have to run it at user logon instead? Maybe I need to create a batch script that runs it as 'cscript audit_windows.vbs' instead of just the VBS script, or maybe I need to add some parameters to the box in the GPO?

From what I've seen on the forums, it appears some of you are already doing this so any help would be much appreciated.

Thanks,
Mark

How are you calling the script in the GPO?

Did you change (or set) the url variable from localhost to the proper value?

I would copy the script from your CentOS machine to a domain controllers "netlogon" share.
Then make sure the config variables are hard set in the script to the correct values you want (url = CentOS machine, debugging=0, etc).
If possible, set it to run with cscript as opposed to wscript.
It should also be run by an account with local admin. That should be what a GPO runs with anyway (the "system" account I think).
If you use a proxy there are some script variables in there to not use that if needed (read the script).
After that, I'm out. I'm not a Windows guru (anymore) - I haven't admin'd Windows in oh, 8 years I suppose!

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

I am looking for the same answer

I am also new to OpenAudit and programming, so I'm really in deep water right now

Is there any chance you could give us a "howto step-by-step guide" how did you do it?

On "Howto guide" I mean how did you configure the GPO (logon/logoff or startup/shutdown or a third way), and what did you changed in the script(s)?

Thanks for the replies.

I'm currently trying to run the script by adding the audit_windows.vbs to the Computer Startup Script GPO. The script has been edited to point to the correct URL to report to, and works fine when I run it manually on the local test machine I have applied the GPO to. The script has been copied to the actual GPO location on the domain controller(s) via the Group Policy Management Console.

I've not tried doing it as a batch script to run 'cscript audit_windows.vbs' but that was going to be potentially the next thing to try.

Running a script in this way runs it under the 'local system' account - can anyone confirm if this account has the correct rights to run it (as I obviously can't do a manual test run using this account)

Thanks,
Mark

I audit my machines via GPO and run it as a startup script without need of CSCRIPT or WSCRIPT (turn Debug to Zero) and so far I haven't had any problems. When you add the script to the GPO, the file gets stored on a share on the Domain Controller and runs with SYSTEM privileges.

To troubleshoot, I would check a few places.
First, make sure all settings on the script are correct, like your server path
Check if the GPO is enabled on your clients, either with GPRESULT or RSOP.MSC
Ultimately, check if the file path to the DC is accessible, you can find the details of the GPOs in the registry on HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts

Let me know how it goes

_________________
Old OA Setup: 500 Windows 7 workstations & 200 Apple OSX with OA v1.5.2 on Windows Server 2003 and WAMP 2
New OA Setup: 100 Windows servers with OA 2.2 on Windows Server 2016 and WAMP 3

[quote="el_geto"]I audit my machines via GPO and run it as a startup script without need of CSCRIPT or WSCRIPT (turn Debug to Zero) and so far I haven't had any problems. When you add the script to the GPO, the file gets stored on a share on the Domain Controller and runs with SYSTEM privileges.

Thanks el_geto. I did have it set up in exactly the same way that works for you, but it just wasn't happening for some reason. What I ended up doing, and which is working for me now, is creating a batch file for the startup GPO with the single command 'cscript \\server\path\audit-windows.vbs" and making sure that the Domain Computers group had full access to the location of the script.

It's the same VBS script I originally had added to the GPO, so I really can't say why it wouldn't work that way when it obviously does for you.

Anyway, thanks for all of everyone's help with this - hopefully it will help some one else looking to do similar in the future.

Mark

I have tested it for two weeks now and I can see that there is a problem with GPO or script. It seems that the computers running the script correctly, but data is not sent to the database unless users log on immediately. Is there any way to get GPO or script to run longer or to use another account to run the startup script?

First of all my setup:
The "audit_windows.vbs" script is located in a subfolder in NETLOGON in a DFS namespace
The group "Autheticated Users" has read and execute rights (so I don't think it's the problem)
The computers I have tested with get the GPO (startup) and I can see it from the command "gpresult /R"
The script it self, has debug turned off (Debug=0)

EDIT:
How can I configure script to use the system account?
As far as I know, there is no password for the system account .. what must be entered at strpass = "" using the system account?

Couple things:

Is it possible the script is running with wscript rather than cscript? I see in 1.0.2 that if it sees some kind of SQL Server that there is still output if debug=0. (Lines 3583, 3588, 3593 and 3598.)

Not important but in the current 1.0.2 script you should set skip_dns=y if running under the system account.

[quote="jpa"]I see in 1.0.2 that if it sees some kind of SQL Server that there is still output if debug=0. (Lines 3583, 3588, 3593 and 3598.)

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.