LeVeilleur.net » Operations Manager 2007 http://www.leveilleur.net Thu, 03 Jun 2010 21:21:36 +0000 http://wordpress.org/?v=2.9.1 fr hourly 1 SCOM / PowerShell : Number of locked AD accounts http://www.leveilleur.net/index.php/2010/03/08/scom-powershell-number-of-locked-ad-accounts/ http://www.leveilleur.net/index.php/2010/03/08/scom-powershell-number-of-locked-ad-accounts/#comments Mon, 08 Mar 2010 12:43:17 +0000 Christopher Keyaert http://www.leveilleur.net/?p=287 Dear All,

Here a new little powershell script that creates an event 6970 in the event viewer when there is more than X accounts locked in less than Y minutes. Now, you just have to create a new rule in SCOM that collect event with the ID6970 and schedule that script to run every 10 minutes.

Thanks to that you can be alert when there is an attack attempt to your Active Directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
########################################################
#Get the number of lock account in less than 10 minutes
########################################################
###########################
# Param
###########################
$LockedSince = 10 #Minutes
$NumberofLockedAccount = 50 #

###########################
# FUNCTIONS
###########################
###########################
# SCRIPT
###########################
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname","lockoutTime"

foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()

$cpt = 0
$result = $null
$result2 = $null

foreach ($objResult in $colResults) {

    $domainname = $objDomain.name
    $samaccountname = $objResult.Properties.samaccountname

    $user = [ADSI]"WinNT://$domainname/$samaccountname"
    $ADS_UF_LOCKOUT = 0x00000010
    #$objResult.Properties

    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
        $Sam = $objResult.Properties.samaccountname
        $Name = $objResult.Properties.name
        [String]$LockTime = $objResult.Properties.lockouttime
        [datetime] $LockTime = [datetime]::FromFileTime($LockTime)

        #We want all the account locked in the last 24h
        $DayDate = Get-Date
        $DayDateBefore = $DayDate.AddMinutes(-$LockedSince)

        if(($LockTime -gt $DayDateBefore) -and ($LockTime -lt  $DayDate))
            {
            Write-Host "************"
            Write-Host "User : $sam"
            Write-Host "Name : $name"
            Write-Host "LockTime : $lockTime"
            Write-Host "************"
            Write-Host ""

            $result2 += "************`r"
            $result2 += "User : $sam`r"
            $result2 += "Name : $name`r"
            $result2 += "LockTime : $lockTime`r"
            $result2 += "************`r"
            $result2 += "`r"

            $cpt += 1
            }
    }
}

Write-Host "************"
Write-Host "There is $cpt account(s) locked in the last $LockedSince minutes"
Write-Host "************"

$result += "************`r"
$result += "There is $cpt account(s) locked in the last $LockedSince minutes`r"
$result += "************`r"
$result += $result2

if($cpt -ge $NumberofLockedAccount)
    {
    Write-Host ""
    Write-Host "Limit reached, /!\ ALERT /!\"
    Write-Host ""
    $infoevent=[System.Diagnostics.EventLogEntryType]::Error
    }
else{
    $infoevent=[System.Diagnostics.EventLogEntryType]::Information
    }  

############################
#Var for the event creation
############################
$evt = new-object System.Diagnostics.EventLog("Application")
$evt.Source = "AD-SCOM"
$evt.MachineName = "."
$evt.WriteEntry($result,$infoevent,6970)
]]> http://www.leveilleur.net/index.php/2010/03/08/scom-powershell-number-of-locked-ad-accounts/feed/ 0 SCOM2007 : Jalasoft Xian Io for VmWare Monitoring http://www.leveilleur.net/index.php/2008/11/26/scom2007-jalasoft-xian-io-for-vmware-monitoring/ http://www.leveilleur.net/index.php/2008/11/26/scom2007-jalasoft-xian-io-for-vmware-monitoring/#comments Wed, 26 Nov 2008 10:10:51 +0000 Christopher Keyaert http://www.leveilleur.net/?p=121

Now monitor your network devices and Unix servers directly in System Center Operations Manager 2007 with the latest version of Xian Network Manager! Advanced new features like, device update, network scan task, linkable policy templates are only a few of the many new features in Xian Io. Check out more information and download the free evaluation version to see the power of Xian yourself.

It is possible that your VC is v2.5, our Virtual Center SMP does not support that version by default, but we have developed a patch in order to provide support for this version. Just follow these steps in order to apply it:

1. Download the patch from: http://download.jalasoft.com/pub/patches/JS0176TD/Patch20080711.zip
2. Go to the server where Xian was deployed and stop the ‘Jalasoft Xian Network Manager’ service.
3. Go to the following folder: ‘[program files]\Jalasoft\Xian Network Manager Io\Plugins\Jalasoft.Xian.Plugin.VMwareVirtualCenter\resources\’
4. Replace the ‘Jalasoft.Xian.Plugin.VMwareVirtualCenter.config.xml’ file with the recently downloaded.
5. Start the ‘Jalasoft Xian Network Manager Server’ service.
6. Open the Xian console and try discovering your virtual centers. Please note that discovering a VC could take several time (depending on the amount of ESX servers hosted in it), so it is recommended to increase the ‘timeout’ and  ‘maximum number of retries’ parameters on the execution of the discovery rule.

]]> http://www.leveilleur.net/index.php/2008/11/26/scom2007-jalasoft-xian-io-for-vmware-monitoring/feed/ 0