KQL - Group Object Audits ADDS

This is a KQL written for Azure Sentinel. 
Purpose is to search for eventid from Active Directory Domain Services related to Group objects.

SecurityEvent
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757, 4727, 4730, 4731, 4734) // Add or remove from group, create or delete group
| extend 
    Action = case(
        EventID == 4728, "Added to Global Group",
        EventID == 4729, "Removed from Global Group",
        EventID == 4732, "Added to Local Group",
        EventID == 4733, "Removed from Local Group",
        EventID == 4756, "Added to Universal Group",
        EventID == 4757, "Removed from Universal Group",
        EventID == 4727, "Created a Security-Enabled Global Group",
        EventID == 4730, "Deleted a Security-Enabled Global Group",
        EventID == 4731, "Created a Security-Enabled Local Group",
        EventID == 4734, "Deleted a Security-Enabled Local Group",
        "Unknown Action"
    ),
    Initiator = coalesce(tostring(SubjectUserName), tostring(AccountName), "Unknown Initiator")
| summarize 
    FirstOccurrence = min(TimeGenerated)    
    by Action, TargetGroup = TargetAccount, Initiator, Domain = TargetDomainName, MemberName, EventID
| project FirstOccurrence, Action, Initiator, Domain, TargetGroup, MemberName, EventID

Powershell - Search Azure/Entra AD for current status of an employeeID accounts using Graph Batch

Graph is a pain to work with if you are like me and just a scripter 

Takes a list of employee IDs via the $employeeIDs variable 
Queries Azure AD via Microsoft Graph in batches of 20
Retrieves userPrincipalName, employeeId, accountEnabled, 
and LastPasswordChangeDateTime
Outputs results to console and CSV

Connect-MgGraph -Scopes "User.Read.All"

$employeeIds = @"
EMPID
0000001
"@ | ConvertFrom-Csv

$employeeIds = $employeeIds.empid   

# Create batch request body
$batchRequests = @()
$batchSize = 20  # Microsoft Graph allows up to 20 requests per batch
$idCounter = 1

for ($i = 0; $i -lt $employeeIds.Count; $i++) {
    $request = @{
        "id" = "$idCounter"
        "method" = "GET"
        "url" = "/users?`$filter=employeeId eq '$($employeeIds[$i])'&`$select=userPrincipalName,employeeId,accountEnabled,LastPasswordChangeDateTime"
    }
    $batchRequests += $request
    $idCounter++
}

# Split into batches of 20 which i believe is the limit 
$batchedResults = @()
for ($i = 0; $i -lt $batchRequests.Count; $i += $batchSize) {
    $batchEnd = [Math]::Min($i + $batchSize, $batchRequests.Count)
    $currentBatch = $batchRequests[$i..($batchEnd-1)]
    
    $batchBody = @{
        "requests" = $currentBatch
    } | ConvertTo-Json -Depth 10

    # Send batch request
    $response = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/`$batch" -Body $batchBody
    
    # Process responses
    foreach ($resp in $response.responses) {
        if ($resp.status -eq 200 -and $resp.body.value) {
            $batchedResults += $resp.body.value | Select-Object @{
                Name = "UserPrincipalName"; Expression = {$_.userPrincipalName}
            }, @{
                Name = "EmployeeID"; Expression = {$_.employeeId}
            }, @{
                Name = "AccountEnabled"; Expression = {$_.accountEnabled}
            }, @{
                Name = "LastPasswordChangeDateTime"; Expression = {$_.LastPasswordChangeDateTime}
            }
        }
    }
}

#Tesults
$batchedResults | Format-Table -AutoSize
$batchedResults | Export-Csv -Path "C:\AzureAD_Employee_Search.csv" -NoTypeInformation

Batch - Get time from remote server write to csv audit log

Purpose: needed a hacked up batch file that was able to read time from a remote server and log to a CSV for user logon auditing. They may have been a better way to do this in batch, but after about 5 hours of looking i decided to just write my own. Wish i could have used powershell. Note:I found that using the net time //x.x.x.x command against a server can return different formatted results I think this script is able to handle the differences but i can not be certain without further testing

@echo off
REM Tony Unger
REM
REM login audit script
REM For Log In
Rem Writes to a CSV file
REM Thanks to http://brisray.com/comp/batch3.htm for length checking in batch


setlocal EnableDelayedExpansion
for /f "delims=" %%i in ('net time \\servername') do (
    if "!CurrentTime!"=="" (set CurrentTime=%%i) else (set CurrentTime=!CurrentTime!#%%i)

)

echo %CurrentTime%
Echo parse the Net Time command
FOR /f "tokens=6,7,8" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
Echo after read ampm is %_AMPM%
If %_AMPM% ==AM#Local (
FOR /f "tokens=14,15,16" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
)
)
If %_AMPM% ==PM#Local (
FOR /f "tokens=14,15,16" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
)
)
Echo Now it is equal to: %_AMPM%

if %_HourUpdate% == 01 (set _HourUpdate=13)
Echo Break up the date to Day Month Year
for /f "tokens=1,2,3 delims=/ " %%A in ("%_date%") DO (
SET _Month=%%A
SET _Day=%%B
SET _Year=%%C
)
Echo Breakup Time to Hour Min Sec
for /f "tokens=1,2,3 delims=: " %%A in ("%_time%") DO (
SET _Hour=%%A
SET _Min=%%B
SET _Sec=%%C
)
Echo Removing spaces
set _Year=%_Year: =%
set _MonthUpdate=%_MonthUpdate: =%
set _Day=%_Day: =%
set _Hour=%_Hour: =%
set _Min=%_Min: =%
set _Sec=%_Sec: =%
REM
Echo Convert Month to two digits
set c=%_Month%
:Monthloop
if defined c (set c=%c:~1%&set /A _MonthCount += 1&goto Monthloop)
Echo Found %_MonthCount% in Month string
if "%_MonthCount%" LSS "2" (set _MonthUpdate=0%_Month%)
IF "%_MonthCount%" GTR "1" (set _MonthUpdate=%_Month%)
Echo %_MonthUpdate%
REM
Echo Convert Day to Two Digits
echo %_Day%
set c=%_Day%
:Dayloop
if defined c (set c=%c:~1%&set /A _DayCount += 1&goto Dayloop)
Echo Found %_DayCount% in day string
if "%_DayCount%" LSS "2" (set _DayUpdate=0%_Day%)
IF "%_DayCount%" GTR "1" (set _DayUpdate=%_Day%)
Echo %_DayUpdate%
REM
Echo Convert Hour to two digits
set c=%_Hour%
:Hourloop
if defined c (set c=%c:~1%&set /A b += 1&goto Hourloop)
Echo Found %b% in hour string
if "%b%" LSS "2" (set _HourUpdate=0%_Hour%)
IF "%b%" GTR "1" (set _HourUpdate=%_Hour%)
REM
Echo %_HourUpdate%
Echo Convert Hour to 24Hour
if %_AMPM%==PM#Local (
  if %_HourUpdate% == 01 (set _HourUpdate=13)
  if %_HourUpdate% == 02 (set _HourUpdate=14)
  if %_HourUpdate% == 03 (set _HourUpdate=15)
  if %_HourUpdate% == 04 (set _HourUpdate=16)
  if %_HourUpdate% == 05 (set _HourUpdate=17)
  if %_HourUpdate% == 07 (set _HourUpdate=19)
  if %_HourUpdate% == 08 (set _HourUpdate=20)
  if %_HourUpdate% == 09 (set _HourUpdate=21)
  if %_HourUpdate% == 10 (set _HourUpdate=22)
  if %_HourUpdate% == 11 (set _HourUpdate=23)
  ) ELSE (
  if %_HourUpdate% == 12 (set _HourUpdate=00)
  )
if %_AMPM%==PM#The (
  if %_HourUpdate% == 01 (set _HourUpdate=13)
  if %_HourUpdate% == 02 (set _HourUpdate=14)
  if %_HourUpdate% == 03 (set _HourUpdate=15)
  if %_HourUpdate% == 04 (set _HourUpdate=16)
  if %_HourUpdate% == 05 (set _HourUpdate=17)
  if %_HourUpdate% == 07 (set _HourUpdate=19)
  if %_HourUpdate% == 08 (set _HourUpdate=20)
  if %_HourUpdate% == 09 (set _HourUpdate=21)
  if %_HourUpdate% == 10 (set _HourUpdate=22)
  if %_HourUpdate% == 11 (set _HourUpdate=23)
  ) ELSE (
  if %_HourUpdate% == 12 (set _HourUpdate=00)
  )
REM
Echo  Convert Mins to two digits
set c=%_Min%
:Minloop
if defined c (set c=%c:~1%&set /A _MinCount += 1&goto Minloop)
Echo Found %_MinCount% in minute string
if "%_MinCount%" LSS "2" (set _MinUpdate=0%_Min%)
IF "%_MinCount%" GTR "1" (set _MinUpdate=%_Min%)
Echo %_MinUpdate%
REM This is done incase seconds doesn't return as in older versions of windowss
if "%_Sec%"==" " SET _Sec=00
REM Remove Spaces from Strings
set _Year=%_Year: =%
set _MonthUpdate=%_MonthUpdate: =%
set _DayUpdate=%_DayUpdate: =%
set _HourUpdate=%_HourUpdate: =%
set _MinUpdate=%_MinUpdate: =%
set _Sec=%_Sec: =%
if not %_MonthUpdate%==is echo Log Off,%_Year%-%_MonthUpdate%-%_DayUpdate% %_HourUpdate%:%_MinUpdate%:%_Sec%,%COMPUTERNAME%,%USERNAME%  >> \\servername\audit\%USERNAME%.csv
if %_MonthUpdate%==is echo %date:~10,4%-%date:~4,2%-%date:~7,2%,%COMPUTERNAME%,%USERNAME% >> \\servername\audit\errors.txt

VBS script - List out all domain groups with users

This is a little VBS script I pieced together back in 2007. Its purpose is to connect to Active Directory and list out all domain groups and their users into a nice CSV file. If you have proper permissions on the domain just double click and it will save a csv file to c:\groupswithusers.csv. Purpose: List out all domain groups with users Note: There could be an issue listing out Domain Users group that I never fixed.

'Tony Unger Nov 2007
'if you have questions, i may or may not be able to answer them
'This script returns all the groups with their members in this format
'"Group,Display name,Account Name,Group Scope,Group Type"
'I did it that way for easy import into excel
'Tested to work on
'2000 Mixed mode
'2000 Native Mode
'2003 Mode
'It should auto find the domain it is ran from.. if not look for strDNSDomain and fill in your information
'This was pieced together from many sources but mainly
'http://www.computerperformance.co.uk/vbscript/index.htm
'And a few others
'Use at your own risk, but i have never had an issue running this.

On Error Resume Next
Dim PathtoCSV
Dim Dil
PathtoCSV = "c:\GroupsWithUsers.csv" ' change the path here
dil = ","    'how do you want the values to be separated ?  by , ; etc
Dim objConnection, objCommand, objRootDSE, strDNSDomain
Dim strFilter, strQuery, objRecordSet, strgt
DIM fso, GuyFile ' write to text file


Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")


objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://RootDSE") 'bind the user object to Active Directory
Set fso = CreateObject("Scripting.FileSystemObject")
Set GuyFile = fso.CreateTextFile(PathtoCSV, True)

'Writes 1st line(Header) to text file
GuyFile.WriteLine("Group Name" & dil & "Display Name" & dil & "Account Name" & dil & "Group Scope" & dil &  "Group Type" & dil & "Last Password Set")

'Get domain if this doesn't work in auto finding the domain can try the commented out
strDNSDomain = objRootDSE.Get("defaultNamingContext")
'strDNSDomain = DC=microsoft,DC=com

strBase = ""

'Define the filter elements
strFilter = "(&(objectCategory=group))"

'List all attributes you will require
strAttributes = "distinguishedName,sAMAccountName,groupType"

'compose query
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 99999
objCommand.Properties("Timeout") = 300
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    strDN = objRecordSet.Fields("distinguishedName") ' returns ldap path
    strSA = objRecordSet.Fields("sAMAccountName") ' returns Group name
    strgt = objRecordSet.Fields("groupType")
    If (strgt ANd &h01) <> 0 then
        Scope = "BuiltIn Local"
    ElseIf (strgt And &h02) <> 0 Then
        Scope = "Global"
    ElseIf (strgt And &h04) <> 0 Then
        Scope = "Domain Local"
    ElseIf (strgt And &h08) <> 0 Then
        Scope = "Universal"
    End If
    If (strgt And &h80000000) <> 0 Then
        SecDst = "Security Type"
    Else
        SecDst = "Distribution Type"
    End If

    'strDN Prints ex CN=IIS_WPG,OU=IT Dept,OU=Groups,DC=XXXX,DC=com   Sweet!!!
    'Wscript.Echo  strDN

    Set objGroup = GetObject("LDAP://" & strDN & "")
   
    For Each objUser in objGroup.Members
    'The mid function is set to start at char 4 on the returned string of objUser.Name to not write CN= to the csv file
    'If you wanted to only write certain groups and their members to the CSV file then uncomment the line below and the end if and follow the example
    'If strSA = "Domain Admins" or strSA = "Administrators" or strSA = "Enterprise Admins"
          GuyFile.WriteLine(strSA & dil & objUser.displayName & dil & mid(objUser.Name,4) & dil & Scope & dil &  SecDst & dil & objUser.PasswordLastChanged)
    'End If
     Next
    objRecordSet.MoveNext ' moves to next member in group
Loop


GuyFile.Close
objConnection.Close
PathtoCSV = nothing
Set objConnection = Nothing
Set objCommand = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
WScript.Echo "Done! CSV file saved to: " & PathtoCSV

Folder Permissions Audit

The purpose of this application is i needed a way to audit NTFS folder permissions on my file server, so instead of using one of the 3rd party programs available I wrote this one.

It contains a batch file for running the executable and a text file called exclude.txt for excluding certain user names from being added to the report. Just extract the zip to a folder and run the batch file you will be asked for the path(non-UNC at the moment)after the executable is done running the report will open in notepad. In the future I will have the report export to comma delimited format.

 Note there isn't any error checking really in this application so be sure to put the correct path (ex z:\temp) When using the exclude.txt be sure to place each username on its own line. This utility only goes one level down so if you are auditing c:\temp it will only audit the top level folders within c:\temp As with any program here use at your own risk. Link to files If you would like the source code leave a comment.