Skip to main content

New Domain Admins

Summary

The task involves executing a PowerShell script on the domain controllers to retrieve information about recently created domain administrators or users who have been added to an administrative group since the last execution of this task. Subsequently, the acquired data is formatted and stored in Custom Field - New Domain Admins, facilitating enhanced auditing and monitoring processes.

Importantly, this task should be scheduled against the primary domain controller for each domain.

Update Notice: 27-December-2024

The task has been updated to create a ticket. Therefore, the New Domain Admins monitor is no longer needed. Please remove the monitor set before updating the task.

Sample Run

Sample Run 1
Sample Run 2

Dependencies

Variables

NameDescription
OutputOutput of the PowerShell script

Implementation

Create the Custom Field New Domain Admins.

Create Script

Create a new "Script Editor" style script in the system to implement this task.

Create Script
Script Editor

Name: New Domain Admins
Description: The task involves executing a PowerShell script on the domain controllers to retrieve information about recently created domain administrators or users who have been added to an administrative group since the last execution of this task.
Category: Custom

Script Category

Script

Start by adding a row. You can do this by clicking the "Add Row" button at the bottom of the script page.

Add Row

Row 1 Function: PowerShell Script

PowerShell Function
PowerShell Function 2

Paste in the following PowerShell script and set the expected time of script execution to 300 seconds. This PowerShell function will validate whether the endpoint is a domain controller or not.

$check = ( Get-CimInstance -Class Win32_ComputerSystem -ErrorAction SilentlyContinue ).DomainRole
if ( $check -in ( 4,5 ) ) {
    return 'domain controller'
} elseif ( $check -eq 1 ) {
    return 'domain joined'
} else {
    return 'Workgroup'
}

Validation

Row 2 Logic: If Then

If Then Logic
If Then Logic 2

Row 2a Condition: Output Does Not Contain

Click the dropdown Contains and select Does Not Contain, then enter domain controller in the text box.

Output Condition

Row 2b Function: Script Exit

Add a new row by clicking on the Add row button.
Add Row

Select Script Exit Function.

Script Exit

Add this message to the Error Message field that will appear after selecting the Script Exit function.

Error Message: This script is designed to work for a domain controller only.

Error Message
Error Message 2

Row 3 Function: PowerShell Script

Add a new row by clicking on the Add row button.

Add Row

Select PowerShell Script function.

PowerShell Script
PowerShell Script 2

Paste in the following PowerShell script and set the expected time of script execution to 300 seconds.

### Region Strapper ###
$ProgressPreference = 'SilentlyContinue'
[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072)
Get-PackageProvider -Name NuGet -ForceBootstrap | Out-Null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
try {
    Update-Module -Name Strapper -ErrorAction Stop
} catch {
    Install-Module -Name Strapper -Repository PSGallery -SkipPublisherCheck -Force
    Get-Module -Name Strapper -ListAvailable | Where-Object { $_.Version -ne (Get-InstalledModule -Name Strapper).Version } | ForEach-Object { Uninstall-Module -Name Strapper -MaximumVersion $_.Version }
}
(Import-Module -Name 'Strapper') 3>&1 2>&1 1>$null
Set-StrapperEnvironment
#endregion
$adminTableName = 'domainadmin'
$previousDomainAdmins = try { Get-StoredObject -TableName $adminTableName -WarningAction SilentlyContinue } catch { $null }
$adminGroupMembers = Get-ADGroupMember -Identity Administrators -Recursive | Where-Object { $_.ObjectClass -eq 'User' } | Select-Object -Property distinguishedName, name, objectClass, objectGUID, SamAccountName, SID -Unique
if (!$previousDomainAdmins) {
    Write-Log -Text 'No previous runs of the script were detected. Creating new chain.' -Level Information
} elseif ($newDomainAdmins = $adminGroupMembers | Where-Object { $_.SID.Value -notin $previousDomainAdmins.SID.Value }) {
    Write-Log -Text "$($newDomainAdmins.Count) new domain admins(s) detected." -Level Information
    Write-Output "New Domain admin(s): $(foreach ($admin in $newDomainAdmins) {""'$($admin.SamAccountName)';"" })"
} else {
    Write-Log -Text 'No new domain admin detected.' -Level Information
    Write-Output 'No new domain admin detected.'
}
$adminGroupMembers | Write-StoredObject -TableName $adminTableName -Clobber -WarningAction SilentlyContinue -Depth 2

Admin Table

Row 4 Function: Set Custom Field

Add a new row by clicking on the Add row button.

Add Row

Select Set Custom Field Function.

Set Custom Field

When you select Set Custom Field, a new window will open.

Custom Field Window

In this window, search for the New Domain Admins field.

Custom Field: New Domain Admins
Value: %Output%

Set Custom Field

Row 5 Function: Script Log

Add a new row by clicking on the Add row button.

Add Row

Select Script Log function.

Script Log

In the script log message, simply type %output% so that the script will send the results of the PowerShell script above to the output on the Automation tab for the target device.

Script Log Message
Script Log Message 2

Row 6 Logic: If Then

If Then Logic
If Then Logic 2

Row 6a Condition: Output Contains

Click the dropdown Contains and select Contains, then enter New Domain admin(s): in the text box.

Output Condition

Row 6b Function: Set Pre-defined Variable

Add a new row by clicking on the Add row button.

Add Row

Select Set Pre-defined Variable Function.

Set Pre-defined Variable

This pop-up box will appear.

Pop-up Box

Select the System Variable button, set Computer for the Variable Name and friendlyName for the System Variable. friendlyName can be found in the Asset section. Click the Save button to save changes.

Save Changes 2

Row 6c Function: Create Ticket

Add a new row by clicking on the Add row button.

Add Row

Select the Create Ticket function.

Create Ticket

This function will appear.

Create Ticket Function

Subject: New domain admin detected on @computer@ at %companyname%
Description: %Output%
Priority: Medium

Ticket Details

Once all items are added, please save the task. The final task should look like the screenshot below.

Final Task
Final Task 2

Deployment

It is suggested to run the task once per hour against the primary domain controllers or infrastructure masters.

  • Go to Automation > Tasks.
  • Search for New Domain Admins Task.
  • Select the concerned task.
  • Click on the Schedule button to schedule the task/script.

Schedule Task

This screen will appear.

Schedule Screen

Click the Does not repeat button.

Does Not Repeat

This pop-up box will appear.

Repeat Options

Select the Hour(s) option from the Repeat dropdown.

Select Hour
Select Hour 2

Search for Infrastructure in the Resources* and select the Infrastructure Master group.

Select Infrastructure Master

Now click the Run button to initiate the task.

Run Task

The task will start appearing in the Scheduled Tasks.

Scheduled Tasks
Scheduled Tasks 2

Output

  • Script Log
    Script Log Output
    Script Log Output 2
    Script Log Output 3

  • Custom Field
    Custom Field Output
    Custom Field Output 2
    Custom Field Output 3

  • Ticket
    Ticket Output