Open-AudIT

Hi,

I notice this works fine with LDAP/AD domain. Any idea how to:

1. Audit NT 4.0 domain?
2. Use audit.vbs as part of a logon script for auditing on logon?

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

To use it as part of a logon script, just copy the contents of audit.conf into audit.vbs. Remove the all lines between 30 and 130 (in current SVN), and replace with the lines from audit.config. This should then give you a 'self contained' audit script. Try running it from your local machine just doing [code]cscript audit.vbs[/code] That should work. If not, then we have to get that going before then next step.

Step two - copy the entire contents of your modified audit.vbs into your logon script - presto !!! Machines will complete the audit script each time they log onto the Domain.

As for and NT Domain, I don't have on to test against.... Does anyone else ?
You could always get a list of PCs in the domain, and put them in the pc_list_file.txt file.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

Auditing is not so hard. I did some research on it.

It *appears* you are just using LDAP as your connector type re: LDAP://domain.local, however for NT, you use WINNT://domain

I have modified the audit.vbs script to use it, with the addition of one variable domain_type = "nt"

I will post it tomorrow for the community's info. I will also try the standalone....I am curious to see the standalone in a logon script to see if it audits some of the machines in my other post where no software is shown.

Wonderful product, looks VERY promising.

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Older versions of Windows NT 4.0 may not have WMI (which Audit.vbs relies on), but you can get it here, I believe.

[url]http://www.microsoft.com/downloads/details.aspx?familyid=AFE41F46-E213-4CBF-9C5B-FBF236E0E875&displaylang=en[/url]

I am not using NT 4.0 anymore, but I thought it might be of some value.
This may even allow limited auditing of Window 95, 98 and 98SE. This is untested, and unsupported, but if anybody is brave enough to try it, let us know the results.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Everything from 95 onwards WILL work - with the following caveats...
WMI must be installed
WSH must be installed (I think it is included in IE6)

I think that's all that is needed. I have some VMs here I have been testing, and when they meet those needs, they work just like any other Windows.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

I am going to publish the changes I made to audit.vbs and audit.config which enable auditing of Windows NT 4.0 domain. If you guys like you can incorporate it in SVN for other users.

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Here is how you enable scanning of a Windows NT 4.0 domain. You guys can choose to commit this to SVN:

Open audit.vbs:

Search for:

[code]
' Audit the local domain, if requested '
[/code]

Replace entire section above with:

[code]
''''''''''''''''''''''''''''''''''''''''
' Audit the local domain, if requested '
''''''''''''''''''''''''''''''''''''''''
if audit_local_domain = "y" then
if domain_type = "nt" then
comparray = GetDomainComputers(local_domain)
elseif domain_type = "ldap" then
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = "Select Name, Location from '" & local_domain & "' Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Sort On") = "name"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

totcomp = objRecordset.recordcount -1
Redim comparray(totcomp) ' set array to computer count

Do Until objRecordSet.EOF
On Error Resume Next
strComputer = objRecordSet.Fields("Name").Value
comparray(count) = strComputer ' Feed computers into array
count = count + 1
if verbose = "y" then
wscript.echo "Computer Name from ldap: " & strComputer
end if
objRecordSet.MoveNext
Loop

num_running = HowMany
if verbose = "y" then
wscript.echo "Number of systems retrieved from ldap: " & Ubound(comparray)
wscript.echo "--------------"
end if
end if

For i = 0 To Ubound(comparray)
' For i = 118 To 128
while num_running > number_of_audits
if verbose = "y" then
wscript.echo "Processes running (" & num_running & ") greater than number wanted (" & number_of_audits & ")"
wscript.echo "Therefore - sleeping for 4 seconds."
end if
wscript.Sleep 4000
num_running = HowMany
wend
if comparray(i) <> "" then
if verbose = "y" then
wscript.echo i & " of " & Ubound(comparray)
wscript.echo "Processes running: " & num_running
wscript.echo "Next System: " & comparray(i)
wscript.echo "--------------"
end if
command1 = "cscript " & script_name & " " & comparray(i)
set sh1=WScript.CreateObject("WScript.Shell")
sh1.Run command1, 6, False
set sh1 = nothing
num_running = HowMany
end if
Next
end if
[/code]

Go to end of audit.vbs and add function to create NT 4.0 machine array.

[code]
'-------------------------------------------------------------------------------
' Function: GetDomainComputers
' Description: Returns a listing of NT Computer Accounts for a given domain
' Parameters: ByVal strDomain - Name of an NT Domain to retrieve the
' list of Computer from.
' Returns: Variant array of NT Computer names for the specified domain.
'-------------------------------------------------------------------------------
Function GetDomainComputers(ByVal local_domain)
Dim objIADsContainer ' ActiveDs.IADsDomain
Dim objIADsComputer ' ActiveDs.IADsComputer
Dim vReturn ' Variant

' connect to the computer.
Set objIADsContainer = GetObject(local_domain)

' set the filter to retrieve only objects of class Computer
objIADsContainer.Filter = Array("Computer")

ReDim vReturn(0)
For Each objIADsComputer In objIADsContainer
If Trim(vReturn(0)) <> "" Then
ReDim Preserve vReturn(UBound(vReturn) + 1)
End If
vReturn(UBound(vReturn)) = objIADsComputer.Name
Next

GetDomainComputers = vReturn
Set objIADsComputer = Nothing
Set objIADsContainer = Nothing
End Function
[/code]

Now open audit.config, and add the following line:

After email_server add:

[code]
domain_type = "nt"
[/code]

And change local_domain to: Please note WinNT is case sensitive

[code]
local_domain = "WinNT://<domainname>"
[/code]

You will now be able to audit your domain.

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Can we have some other people try this on their NT Domains, before we commit this code ?

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

In theory this should work with an AD domain, since it also acts as a WINNT domain, in the unlikely event that I have a spare 5 mins in the next week or two I might give this a try. I take it the above changes will allow you to choose AD or WINNT , rather than replacing the active directory code with WINNT code. If not can we re-write so this is the case. We don't want a different audit.vbs for NT.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

[quote="A_Hull"]In theory this should work with an AD domain, since it also acts as a WINNT domain, in the unlikely event that I have a spare 5 mins in the next week or two I might give this a try. I take it the above changes will allow you to choose AD or WINNT , rather than replacing the active directory code with WINNT code. If not can we re-write so this is the case. We don't want a different audit.vbs for NT.

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Hello,

I'm new to this software and wanted to report back on my findings from trying to audit my NT4 domain. I am able to successfully audit using the pc_list_file.txt populated with hostnames/IP, but I haven't been able to audit using the NT4 domain information. I tried making the changes to the audit.vbs/config files as suggested above by jsingh, but haven't been able to run an audit of the domain successfully.

After making the changes, I'll run the script and I get the following error:
[code]
C:\xampp\htdocs\OpenAudIT\scripts>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\xampp\htdocs\OpenAudIT\scripts\audit.vbs(3598, 4) (null): Unspecified error
[/code]

Looking at the audit.vbs file, it appears the error message appears to be referencing the following line from the GetDomainComputers section added into the end of the script:

[code] Set objIADsContainer = GetObject(local_domain)[/code]

I haven't been able to make any head way past this so far and was wondering if anyone had any ideas on what to check next.

[quote="bterwill"]Hello,

I'm new to this software and wanted to report back on my findings from trying to audit my NT4 domain. I am able to successfully audit using the pc_list_file.txt populated with hostnames/IP, but I haven't been able to audit using the NT4 domain information. I tried making the changes to the audit.vbs/config files as suggested above by jsingh, but haven't been able to run an audit of the domain successfully.

After making the changes, I'll run the script and I get the following error:
[code]
C:\xampp\htdocs\OpenAudIT\scripts>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

C:\xampp\htdocs\OpenAudIT\scripts\audit.vbs(3598, 4) (null): Unspecified error
[/code]

Looking at the audit.vbs file, it appears the error message appears to be referencing the following line from the GetDomainComputers section added into the end of the script:

[code] Set objIADsContainer = GetObject(local_domain)[/code]

I haven't been able to make any head way past this so far and was wondering if anyone had any ideas on what to check next.

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Thanks for the quick reply. Here is the requested information. It's entirely possible that I mistyped something or added something incorrectly, although I have tried reconfiguring the default files a few times, and I am getting the same error. Some additional information about the setup that may be useful. The domain is an NT4 domain, but OpenAudIT and all scripts are being run from my XP workstation under a Domain Admin account. When auditing using pc_list_file.txt I had to first install WMI on the Domain Controller before it could be audited, but after installing this it shows up with all information from an audit using the list. Same error when trying to audit using strictly the domain.

First up, the audit.config file:
[code]audit_location = "l"
verbose = "y"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://localhost/openaudit/admin_pc_add_1.php"
non_ie_page = "http://localhost/openaudit/admin_pc_add_2.php"
nmap_subnet = "63.140.111."
nmap_subnet_formatted = "063.140.111."
nmap_ie_form_page = "http://localhost/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "n"
nmap_udp_scan = "n"
nmap_srv_ver_scan = "n"
nmap_srv_ver_int = 0
input_file = ""
email_to = ""
email_from = ""
email_server = ""
domain_type = "nt"
audit_local_domain = "y"
local_domain = "WINNT://iexplore"
hfnet = "n"
Count = 0
number_of_audits = 20
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
[/code]

I would post the audit.vbs file, but it's too big. Let me know if it is of interest to you and I can host it somewhere so that you can access it. I think everything is set correctly. I have modified the section at the top and added the GetDomainComputers section to the end of the vbs file. Like i said, I think that's where the error I mentioned in my first post is referencing, though I could be wrong about this.

Send me your audit.vbs file. I suspect a typo. You audit.config file is good. i assume your domain is named "iexplore".

I will send you a copy of my audit.vbs file in the meantime to test. once i compare them i will let you know if i find where the problem is and correct it in the instructions if not clear.

email: ttgapers AT hotmail dot com

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Sending email with audit.vbs file. Thanks again.