search

lazywinadmin / Monitor-ADGroupMembership

PowerShell script to monitor Active Directory groups and send an email when someone is changing the membership
MIT License
264 stars 61 forks source link

Monitoring of the Administrator (Bultin) #27

Closed VincentSTH closed 6 years ago

VincentSTH commented 6 years ago

We have set up supervision for several groups successfully on the active Directory But the monitoring of the Administrator (Bultin) group does not work. The first time we run the script, it does not create the csv file and indicates that :"AVERTISSEMENT : [PROCESS] Something went wrong "

Can you help us ? Thank you

VincentSTH commented 6 years ago

Indeed, it is the local administrator group of the server. When creating the Active directory server, this group is transformed into a local group integrated into the Active Directory. See screenshot below

capture capture2

VincentSTH commented 6 years ago

Hello,

My problem is always present. Do you have a solution ?

Thank you

jonathanweinberg commented 6 years ago

How are referencing the group to monitor in the script.

Post your code excerpt using markdown code quotes if possible.

VincentSTH commented 6 years ago

capture The first time we run the script, it does not create the csv file and indicates that (See screenshot) : " [PROCESS] AD MODULE - Error When querying the group Administrators members in Active Directory"

For other groups, the script works but not for the special group Administrator (Bultin) (see screenshot in my previous post)

lazywinadmin commented 6 years ago

Hi, the script don't monitor local groups, only ad groups.

jonathanweinberg commented 6 years ago

To be honest, I'm a fan of the writing / blogging by Mr. lazywinadmin, but I've never used this script. Just randomly ran across this issue and know a bit about AD.

BuiltIn\Administrators is an odd duck from the perspective of a DC.

A Domain Controller does not have a "local" SAM.

And in the case of the BUILTIN\Administrators group, it is actually replicated domain wide between Domain Controller servers (as you noted).

I see you're localized to something other than en-US. Long term, you might want to try to use SID's and GUID's vs. friendlier forms.

That said, have you tried using the well known SID? S-1-5-32-544 ?

 PS C:\Windows\system32> Get-ADGroup -Identity S-1-5-32-544

DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=contoso,DC=com
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : Administrators
ObjectClass       : group
ObjectGUID        : *********************************************
SamAccountName    : Administrators
SID               : S-1-5-32-544

Well Known SID Structures

Similar info about Well Known SID's

Basic Info on Well Known SID's

jonathanweinberg commented 6 years ago

@VincentSTH Any feedback if this worked out for you?

VincentSTH commented 6 years ago

The problem is solved. In the administrator group there was a user in SID mode. I deleted it and the script worked.

In fact, this is a deleted AD user