vNext.be | Operations Manager, Opalis, PowerShell, …

TAG | ad

Jun/10

15

Active Directory Federation Services 2.0 Management Pack

No comments · Posted by Christopher Keyaert in OpsMgr / Scom

Microsoft has just realease a new management pack for SCOM2007 : Active Directory Federation Services 2.0 Management Pack

Overview

The Active Directory Federation Services (AD FS) 2.0 management pack monitors events that the AD FS 2.0 Windows service records in the AD FS 2.0 event logs, and it monitors the performance data that the AD FS 2.0 performance counters collect. It also monitors the overall health of the AD FS 2.0 system and the federation passive application, and it provides alerts for critical issues and warning issues.
This management pack includes monitoring of the following core components: token issuance, token acceptance, artifact service, websites, trust management, certificate rollover, and Windows Internal Database synchronization.

Feature Summary
  • Events that indicate service outages and operational errors or warnings
  • Alerts that indicate configuration issues and background tasks failures or warnings
  • Whether auditing is occurring successfully
  • Communication between the federation server and the federation server proxy
  • Notification of malformed access requests
  • Website availability
  • The health of the Secure Sockets Layer (SSL) certificate of the federation passive website in Internet Information Services (IIS)

Source : http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7f63c415-35a9-456e-9df9-c1cb546d2fb0

· · · ·

May/10

6

SCOM / PowerShell : Number of locked AD accounts

No comments · Posted by admin in PowerShell

Dear All,

Here a new little powershell script that creates an event 6970 in the event viewer when there is more than X accounts locked in less than Y minutes. Now, you just have to create a new rule in SCOM that collect event with the ID6970 and schedule that script to run every 10 minutes.

Thanks to that you can be alert when there is an attack attempt to your Active Directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
########################################################
#Get the number of lock account in less than 10 minutes
########################################################
###########################
# Param
###########################
$LockedSince = 10 #Minutes
$NumberofLockedAccount = 50 #

###########################
# FUNCTIONS
###########################
###########################
# SCRIPT
###########################
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname","lockoutTime"

foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()

$cpt = 0
$result = $null
$result2 = $null

foreach ($objResult in $colResults) {

    $domainname = $objDomain.name
    $samaccountname = $objResult.Properties.samaccountname

    $user = [ADSI]"WinNT://$domainname/$samaccountname"
    $ADS_UF_LOCKOUT = 0x00000010
    #$objResult.Properties

    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
        $Sam = $objResult.Properties.samaccountname
        $Name = $objResult.Properties.name
        [String]$LockTime = $objResult.Properties.lockouttime
        [datetime] $LockTime = [datetime]::FromFileTime($LockTime)

        #We want all the account locked in the last 24h
        $DayDate = Get-Date
        $DayDateBefore = $DayDate.AddMinutes(-$LockedSince)

        if(($LockTime -gt $DayDateBefore) -and ($LockTime -lt  $DayDate))
            {
            Write-Host "************"
            Write-Host "User : $sam"
            Write-Host "Name : $name"
            Write-Host "LockTime : $lockTime"
            Write-Host "************"
            Write-Host ""

            $result2 += "************`r"
            $result2 += "User : $sam`r"
            $result2 += "Name : $name`r"
            $result2 += "LockTime : $lockTime`r"
            $result2 += "************`r"
            $result2 += "`r"

            $cpt += 1
            }
    }
}

Write-Host "************"
Write-Host "There is $cpt account(s) locked in the last $LockedSince minutes"
Write-Host "************"

$result += "************`r"
$result += "There is $cpt account(s) locked in the last $LockedSince minutes`r"
$result += "************`r"
$result += $result2

if($cpt -ge $NumberofLockedAccount)
    {
    Write-Host ""
    Write-Host "Limit reached, /!\ ALERT /!\"
    Write-Host ""
    $infoevent=[System.Diagnostics.EventLogEntryType]::Error
    }
else{
    $infoevent=[System.Diagnostics.EventLogEntryType]::Information
    }  

############################
#Var for the event creation
############################
$evt = new-object System.Diagnostics.EventLog("Application")
$evt.Source = "AD-SCOM"
$evt.MachineName = "."
$evt.WriteEntry($result,$infoevent,6970)

· · ·

Christopher Keyaert
Copyright 2010 © vNext.be