Forum Discussion

Sumitsk's avatar
Sumitsk
Copper Contributor
May 06, 2022

PowerShell script is triggering the AD alert when executing on any local server. as user or computer

Hello All,

 

I have PowerShell script which generates the data from each local server. This script tested and its working fine but the challenge is it trigger the alert on AD server as  "user of computer logged on to this computer from the network"  , but script is executing on any server not on AD. Why this is happening I am not able to find out it. Is the AD level security configured or hardening which is creating this problem.

Where I do find the exact cause of this. Can any one help me please. 

I am attaching the script here for the reference.

############################Script#####################

$Computer = $env:ComputerName
$OutputDir = "c:\temp\"
$Name = ($OutputDir + $Computer + "_LocalUser.csv")
out-file -filepath $Name
$OutputFile = $Name
Add-Content -Path $OutPutFile -Value "ComputerName;OS;IP;UserID;FullName;SID;UserType;PasswordLastSet;Enabled;UserMayChangePassword;PasswordNeverExpires;InteractiveLogon;AccessDetails;LastLogOn;TimeZone"
$LocalUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True" | Select-Object -ExpandProperty Name

$localgroups = Get-WmiObject Win32_Group -Filter “LocalAccount=True” | Select-Object -ExpandProperty Name

$groupsOutput = $null

$IP = $(((ipconfig | findstr [0-9].\.)[0]).Split()[-1])

if($PSVersionTable.PSVersion.Major -gt 4){
foreach($localuser in $LocalUsers) {
$Name = $localuser
$FullName = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty FullName
$SID = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty SID
$UserType = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PrincipalSource

$PasswordLastSet = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordLastSet
$Enabled = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty Enabled
$UserMayChangePassword = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty UserMayChangePassword
$PasswordNeverExpires = (Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordExpires) -eq $null

[Int]$i=0

$groupsOutput = ""

$groups = (Get-LocalGroup | Where-Object { (Get-LocalGroupMember $_).name -eq "$Computer\$Name" }).Name


foreach($group in $groups) {
$i++


if($i -le 1)
{
$groupsOutput = -join ("$groupsOutput", "$group")
}
else
{
$groupsOutput = -join ("$groupsOutput", " / " ,"$group")
}

}


$LastLogOn = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty LastLogOn
$TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value
Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groupsOutput;$LastLogOn;$TimeZone"
}
}else{
foreach($localuser in $LocalUsers) {
$user = Get-WmiObject -query "SELECT * FROM Win32_UserAccount WHERE LocalAccount = 'True' and Name = ""$localuser"""
$Name = $localuser
$FullName = $user.FullName
$SID = $user.SID
$UserType = "Local"
$PasswordLastSet = $(net user $Name| findstr /B /C:"Password last set")
$PasswordLastSet = $PasswordLastSet.Substring(29)
$Enabled = -not $user.Disabled
$UserMayChangePassword = -not $user.PasswordChangeable
$PasswordNeverExpires = -not $user.PasswordExpires
$groupList = Get-CimInstance -ClassName Win32_UserAccount -Filter "Name='$name'" | Get-CimAssociatedInstance -Association Win32_GroupUser | Select-Object Name
$groups = ""
foreach($group in $groupList.Name){
$groups += $group + ","
}
$groups = $groups.Substring(0,$groups.Length-1)
$LastLogOn = $(net user $Name| findstr /B /C:"Last logon")
$LastLogOn = $LastLogOn.Substring(29)
$TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value
$passwordNeverExpires = -not $user.passwordExpires
Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groups;$LastLogOn;$TimeZone"

}
}

 

  • The get-local user/group cmdlet is only for servers, computers locally or joined to an Active Directory domain. The cmdlet doesn't work on a Active Directory Domain Controller because it has no local users/groups but Active Directory users and groups. (You should use get-aduser / get-adgroup for that)
    • Sumitsk's avatar
      Sumitsk
      Copper Contributor

      Harm_Veenstra One thing I also understood that, The user who is executing the script is the local user not domain user. Its trying to collect the details from the target server but in backend some where its connecting to AD Server. And the error I am getting is like below. User and the error type. 

       

      Is the server level hardening to block the login or in the script which is trying to do get something from AD server instead of Target servers where the actual script is executing.

       

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        Sumitsk 

         

        My expectation is that the NTLM event is coming from how the script is being called, not from the script itself.

         

        Rather than focusing on the script content, focus on how it's being run, i.e. via something like psexec, Invoke-Command, a scheduled task, SCCM utility, etc., etc.

         

        In theory, WMI can also be the source but the calls to Get-WmiObject and Get-CimInstance do not use such triggers (such as alternate credentials and/or impersonation levels) meaning that is irrelevant in this case. That only leaves how it's being launched.

         

        While the script itself is not written very well, there's nothing in it that would trigger the events you're seeing.

         

        Cheers,

        Lain

Resources