LeVeilleur.net

Subscribe

SCOM / PowerShell : Number of locked AD accounts

mars 08, 2010 By: Christopher Keyaert Category: Scom 2007, powershell No Comments →

Dear All,

Here a new little powershell script that creates an event 6970 in the event viewer when there is more than X accounts locked in less than Y minutes. Now, you just have to create a new rule in SCOM that collect event with the ID6970 and schedule that script to run every 10 minutes.

Thanks to that you can be alert when there is an attack attempt to your Active Directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
########################################################
#Get the number of lock account in less than 10 minutes
########################################################
###########################
# Param
###########################
$LockedSince = 10 #Minutes
$NumberofLockedAccount = 50 #

###########################
# FUNCTIONS
###########################
###########################
# SCRIPT
###########################
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname","lockoutTime"

foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()

$cpt = 0
$result = $null
$result2 = $null

foreach ($objResult in $colResults) {

    $domainname = $objDomain.name
    $samaccountname = $objResult.Properties.samaccountname

    $user = [ADSI]"WinNT://$domainname/$samaccountname"
    $ADS_UF_LOCKOUT = 0x00000010
    #$objResult.Properties

    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
        $Sam = $objResult.Properties.samaccountname
        $Name = $objResult.Properties.name
        [String]$LockTime = $objResult.Properties.lockouttime
        [datetime] $LockTime = [datetime]::FromFileTime($LockTime)

        #We want all the account locked in the last 24h
        $DayDate = Get-Date
        $DayDateBefore = $DayDate.AddMinutes(-$LockedSince)

        if(($LockTime -gt $DayDateBefore) -and ($LockTime -lt  $DayDate))
            {
            Write-Host "************"
            Write-Host "User : $sam"
            Write-Host "Name : $name"
            Write-Host "LockTime : $lockTime"
            Write-Host "************"
            Write-Host ""

            $result2 += "************`r"
            $result2 += "User : $sam`r"
            $result2 += "Name : $name`r"
            $result2 += "LockTime : $lockTime`r"
            $result2 += "************`r"
            $result2 += "`r"

            $cpt += 1
            }
    }
}

Write-Host "************"
Write-Host "There is $cpt account(s) locked in the last $LockedSince minutes"
Write-Host "************"

$result += "************`r"
$result += "There is $cpt account(s) locked in the last $LockedSince minutes`r"
$result += "************`r"
$result += $result2

if($cpt -ge $NumberofLockedAccount)
    {
    Write-Host ""
    Write-Host "Limit reached, /!\ ALERT /!\"
    Write-Host ""
    $infoevent=[System.Diagnostics.EventLogEntryType]::Error
    }
else{
    $infoevent=[System.Diagnostics.EventLogEntryType]::Information
    }  

############################
#Var for the event creation
############################
$evt = new-object System.Diagnostics.EventLog("Application")
$evt.Source = "AD-SCOM"
$evt.MachineName = "."
$evt.WriteEntry($result,$infoevent,6970)

Quoi de neuf dans SCOM R2

janvier 14, 2010 By: Christopher Keyaert Category: Scom 2007 No Comments →

Voici une vidéo en Français expliquant les différences entre SCOM 2007 et SCOM 2007 R2 :

Source

SCOM2007R2 : not enough entropy when installed Linux Agent

décembre 03, 2009 By: Christopher Keyaert Category: Scom 2007 No Comments →

Here the error message :

1
2
3
4
5
6
7
8
9
10
Generating certificate with hostname="xxxxxxxx"
[/home/serviceb/TfsCoreWrkSpcLinux_REDHAT_5.0_x86_64/source/code/tools/scx_ssl_config/scxsslcert.cpp:198]
Failed to allocate resource of type random data: Failed to get random data - not enough entropy
error: %post(scx-1.0.4-248.x86_64) scriptlet failed, exit status 1


<DataItem type="Microsoft.SSH.SSHCommandData" time="2009-12-03T12:08:30.6908778+01:00" sourceHealthServiceId="91A3B596-F820-6A90-305C-6974DA25966D"><SSHCommandData><stdout>Generating certificate with hostname="xxxxxxx"
[/home/serviceb/TfsCoreWrkSpcLinux_REDHAT_5.0_x86_64/source/code/tools/scx_ssl_config/scxsslcert.cpp:198]
Failed to allocate resource of type random data: Failed to get random data - not enough entropy
error: %post(scx-1.0.4-248.x86_64) scriptlet failed, exit status 1

There are two ways to solve this problem, you can recreate the /dev/random file or do a manual agent install.

For both fixes, clean off the partially installed agent using the commands

  1. rpm -e scx
  2. rm -rf /etc/opt/microsoft/scx

Then if you want to make it so that discovery will work from the wizard use the commands

  1. rm /dev/random
  2. mknod -m 644 /dev/random c 1 9
  3. chown root:root /dev/random

A manual install requires copying the appropriate package from %Program Files%\System Center Operations Manager 2007\AgentManagement\UnixAgents to the Unix\Linux machine and installing it directly.

After fixing the install issue, switch the /dev/random file back to a signed random file using the commands:

  1. rm /dev/random
  2. mknod -m 644 /dev/random c 1 8
  3. chown root:root /dev/random

Source : http://blog.xplatxperts.com/xplat-xperts/2009/08/opsmgr-cross-platform-discovery-errors.html