Using ADUC Saved Queries to Continuously Audit Windows Active Directory

by [Published on 26 Jan. 2011 / Last Updated on 26 Jan. 2011]

This article explains the Active Directory Users and Computers (ADUC) Microsoft tool for administering objects in Active Directory.

Introduction

As the world of security and auditing moves from an annual or bi-annual audit schedule to a continuous audit scenario, there will be the need to create more efficient processes. Today, if an auditor were to ask for “continuous” information from the network admin, the network admin would nearly collapse from the amount of work required to meet this demand. So, it is up to the auditor and other security professionals to find methods to gather information without the need of the network administrator. In my last installment, Using PowerShell to Continuously Audit Windows Active Directory, I covered how to leverage PowerShell to gather information out of Active Directory. In this article, we will leverage Active Directory Users and Computers, which is a Microsoft tool for administering objects in Active Directory.

Obtaining Active Directory Users and Computers (ADUC)

For your Windows XP desktop or Windows 7 desktop, ADUC is not installed by default. With this said, you will need to acquire this tool from Microsoft. The tool is free, easily downloadable, and easy to use. The only real hurdle that you will face is that you will need to be a local administrator of your desktop in order to install the suite of tools for which the ADUC comes in.

For Windows XP, you will need to install the ADMINPAK.msi. This is a long time suite of “administrator tools” that actually come pre-installed on domain controllers. This file is also available from domain controllers or the installation media, but I am certain this access would be more difficult for you to obtain than just downloading it from Microsoft. To download it from Microsoft, you simply follow this link.

For Windows XP, after you install the ADMINPAK.msi, you might not see the ADUC tool, or any of the Administrative Tools, by default. This is due to the fact that the Administrative Tools don’t show up on the Start menu by default. You can add the Administrative Tools to the start menu easily.

  1. Right-click the Start button and select Properties.
  2. Then, select the Start Menu tab.
  3. With the Start Menu radio button selected, click the Customize button.
  4. In the Customize Start Menu window, click the Advanced tab.
  5. Under the list of Start Menu items, scroll down to the System Administrative Tools.
  6. Select the Display on the All Programs menu and the Start menu radio button.
  7. This will now show the Administrative Tools on the Start menu, where you can now access ADUC.

For Windows 7, you will need to install a different tool. Windows 7 allows you to access ADUC from the RSAT tool, which stands for Remote Server Administrative Tools. You will need to download RSAT from Microsoft. You can download the RSAT for Windows 7 here.

You will need to be a local administrator for RSAT to install, just like ADMINPAK.msi for Windows XP. After RSAT has been installed, you will need to get the Administrative Tools option to show up on the Start menu, as well as get ADUC to show up on this menu, which is not a default action even though RSAT is installed. Follow these steps in Windows 7 to get the Administrative Tools to display.

  1. Right-click the Start button and select Properties.
  2. Then, select the Start Menu tab.
  3. Click the Customize button.
  4. In the Customize Start Menu window, scroll down to the System Administrative Tools.
  5. Select the Display on the All Programs menu and the Start menu radio button.
  6. This will now show the Administrative Tools on the Start menu.

Follow these steps in order to access the Active Directory tools within RSAT and have ADUC show up on the Administrative Tools menu option:

  1. Open up Control Panel, then click the Programs and Features option.
  2. Select the Turn Windows features on or off option. (Note: this requires local administrative privileges).
  3. In the Windows Features dialog box, scroll down to the Remote Server Administration Tools option, then expand the node.
  4. Then, expand Role Administration Tools - AD DS and AD LDS Tools - AD DS Tools - and finally check the AD DS Snap-ins and Command-Line Tools check box.
  5. Finally, click on the OK button.

Creating Saved Queries in ADUC

There are two ways to create a Saved Query. You can either choose the default, built-in options or create a custom query of your own.

To create a Saved Query, follow these steps:

  1. Right-click Saved Queries and click the New-Query option
  2. Type in a name for your saved query, such as Disabled User Accounts
  3. Click the Define Query button
  4. For user information, click the Users tab
  5. Click on the check indicating you want to view only Disabled accounts, then click ok.
  6. Click the OK button to save the query
  7. Now you should see only the accounts that meet the criteria that you input into the query

If you know more about LDAP, you can create custom queries. To create a custom Saved Query, follow these steps.

  1. Right-click Saved Queries and click the New-Query option
  2. Type in a name for your saved query, such as All “Admin” Groups
  3. Click the Define Query button
  4. Under the Find drop-down list, select Custom Search
  5. Click the Advanced tab
  6. Type in your query, such as (objectcategory=group)(samaccountname=*admin*)
  7. Click the OK button to save the custom entry, then click on the OK button to save the query
  8. Now you should see only the groups that have the name “admin” in the name

Here are some examples of custom saved queries that you can immediately use.

Example 1. To find all user accounts that have the name “srv_acct” in them, if your service accounts follow a naming convention.

(objectcategory=person)(samaccountname=*srv_acct*)

Example 2. To find all groups that have no members.

(objectCategory=group)(!member=*)

Example 3. Find users that have non-expiring passwords.

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Summary

Using Saved Queries from within ADUC can create a quick and easy way for you to check up on accounts that meet certain criteria. Since you only need to be a domain user to run Saved Queries, you can be an auditor and access tons of information from within Active Directory. Of course, you do need to get ADUC installed as a local administrator, but that should be something you can get accomplished with help from the network admins and your boss. After you get ADUC installed, you can start generating the pre-defined queries or create your own custom saved queries.

Featured Links