Felipe FerreiraVbScripts

We needed a way to know if anyone has added itself to the Local Administrator group on any servers.
So I wrote this script and setup on schedulle task to run each hour. In case any changes
happen on the Local Admins group and e-mail will be sent.
Script Purpose: Identify when Local Administrator Group changes!
Get a list of local users on Administrator group, export to log servername.txt
Open a serverlist.txt and go thru all servers Compare txt file of existing accounts
with new ones(found) If diference found send an e-mail
 
The code:

'Script Purpose: Identify when Local Administrator Group changes!
'Get a list of local users on Administrator group, export to log servername.txt
'Open a serverlist.txt and go thru all servers
'Compare txt file of existing accounts with new ones(found)
'If diference found send an e-mail
'By Felipe Ferreira
'June 2012
'Version 1
'How to use it:
'Create a servers.txt file with all windows server you want to check
'Create a /logs folder where the script and servers.txt are
'Must have a Domain Admin account to run it
'TODO
'Get User Creation Age
'Have on the txt the list of users so we can Identify what user was added or removed
option explicit
Dim iFSO : Set iFSO = CreateObject("Scripting.FilesyStemObject")
Dim oFSO : Set oFSO = CreateObject("Scripting.FilesyStemObject")
Dim t1,runtime,strScriptFile,inputfile,outputfile,ofile,ifile,strComputer
Dim strScriptPath,strMailServer,strUsers, blnVerbose,intError,strCheck
Dim strSubjectE,strMessageE,strMessage,strSubject
Dim strEmailTo,strEmailFrom,strBadUser
Const ForReading = 1 	'Opens a file for reading only
Const ForWriting = 2 	'Opens a file for writing. If the file already exists, the contents are overwritten.
Const ForAppending = 8
t1 = Timer  'time the script
strScriptFile = WScript.ScriptFullname
strScriptPath = Left(strScriptFile, Len(strScriptFile) - Len(WScript.Scriptname)) 'used to define the path from where the script file is located
intError = 0
'------------ EDIT HERE
strMailServer = "ma"
strEmailTo="mailEU@gogo.com"
strEmailFrom="verifica_localadmin@gogo.com"
strBadUser="brunoteste"   ' Acount to search for a known user that should not be Local Administrator
inputfile = strScriptPath & "servers.txt"  ' servers.txt should contatin a file with server names
blnVerbose = false  ' false for quite mode
'------------ EDIT HERE
'------------ MAIN
Set ifile = iFSO.OpenTextFile(inputfile,ForReading)
'Loop thru text file and check each Sever's Local Administrators
Do until ifile.AtEndOfLine
 dim objGroup,colGroups,objUser,intUsers,strOut
 intUsers = 0
 strComputer = ifile.ReadLine
 Set colGroups = GetObject("WinNT://" & strComputer & "")
 colGroups.Filter = Array("group")
 For Each objGroup In colGroups
       if (objGroup.name = "Administrators") or (objGroup.name = "Administradores") then
     For Each objUser in objGroup.Members
	        'pt " " & objUser.name
			strUsers = strUsers  & objUser.name & ","
			intUsers = intUsers + 1
	        If (objUser.name = strBadUser )Then
             pt strComputer & " - " & objUser.name  & " ALERTA Conta " & strBadUser & " EXISTENTE!!!"
			 strSubjectE = "CRITICAL - Conta " & strBadUser & " encontrada no " & strComputer
	         strMessageE = strComputer & " - " & objUser.name  & " ALERTA Conta brunoteste EXISTENTE!!!"
	         intError = intError + 1
        End If
     Next
	end if
  Next
  outputfile = strScriptPath & "logs" & strComputer & ".txt"
  strCheck = CompareUsers(strComputer,intUsers)
  pt strCheck
  pt strUsers
  strMessage = strMessage & vbcrlf & strCheck & vbcrlf & " " & strUsers & vbcrlf & "--------------------------------------"
  strUsers = ""
  pt "----------------------------"
  'Compare existing users with current
  'Write to output file
  Set ofile = oFso.OpenTextFile(Outputfile,ForWriting,true)
  ofile.writeline intUsers
 Set ofile = nothing
 Set colGroups = nothing
loop
'Calculate Total Run Time and Format
RunTime = Timer  - t1
RunTime = Left(RunTime, 4)
RunTime = RunTime / 60
RunTime = Left(RunTime, 4)
pt strMessage
pt RunTime
if (intError = 0) then
 strSubject = "OK - Nada mudou nos Usuarios Local Admins"
else
 strSubject = "CRITICO - foram encontrados (" & intError & ") erro(s)"
 strMessage = "Foram encontrados " & intError & "erros, na verificação de moficações no numero de usuarios no grupo Local Administrators. "& vbcrlf &"Script Runtime = " & RunTime & "min. " & vbcrlf & strMessageE & vbcrlf & vbcrlf & strMessage
'ENVIA E-MAIL
 call sendMail(strEMailFrom,strEMailTo,"",StrSubject,strMessage,"")
 pt "Email enviado a " & strEMailTo
end if
wscript.quit 0
'-------------- FUNCTIONS and SUBS
Function CompareUsers(servername,intcount)
on error resume next
	'Pega o numero de usuario e nome do servidor abri o arquivo e verifica se mudou
	dim CurrentFile,ofileCurrent,fs,intCountCurrent
	CurrentFile = strScriptPath & "logs" & servername & ".txt"
	Set fs = CreateObject("Scripting.FileSystemObject")
	if fs.FileExists(CurrentFile) then
	 set ofileCurrent = oFso.OpenTextFile(Outputfile,ForReading)
	   intCountCurrent = ofileCurrent.ReadLine
     set ofileCurrent = nothing
	 intcount = cint(intcount)
	 intcountcurrent = cint(intcountCurrent)
	  if (intCount = intCountCurrent) then
	    CompareUsers = "OK - " & servername & "(" & intcount & ")"
	   else
	    intError = intError + 1
		strMessageE = strMessageE & vbcrlf & servername & " Numero de usuarios no Local Adminsitrators mudou de " & intCount & " para " & intcountCurrent
		CompareUsers = "CRITICO - " & servername & "(" & intcount & ") mudou de " & intCountCurrent & " para " & intcount & " usuarios!"
       end if
'File does not exists
	else
     CompareUsers = "UNKOWN - " & servername & " nunca foi verificado!"
	end if
	Set fs = nothing
	set ofileCurrent = nothing
end function
Sub SendMail(sFrom,sTo,sCC,sSub,sBody,sAttch)
	err.clear
	Dim objEmail : Set objEmail = CreateObject("CDO.Message")
	objEmail.From = sFrom
	objEmail.To = sTo
	ObjEmail.CC = sCC
	objEmail.Subject = sSub
	objEmail.Textbody = sBody
	objEmail.AddAttachment sAttch
	objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
	objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strMailServer
	objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
	objEmail.Configuration.Fields.Update
	objEmail.Send
	if err.number <> 0 then
			pt "Error sending email : " & err.descprition
			wscript.quit
		end if
end sub
function pt(txt)
 if (blnVerbose = true ) then
  wscript.echo txt
 end if
end function

 

Tags: , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *