Child pages
  • How to audit an Active Directory domain
Skip to end of metadata
Go to start of metadata

Auditing using a GUI

In Open-AudIT, go to Menu -> Admin -> Discovery -> Discover Active Directory. You will see the below form.

If you have set the "Local Network Address" in the config (Menu -> Admin -> Config) it will be pre-populated. This should be the ip address of your Open-Audit server.

Add the ip address of the active directory server, along with credentials (again, if you have set these in the config, they will be pre-populated) and specify how many concurrent audits you would like performed. This will vary depending on the power of your Open-AudIT server and your network.

In general you should NOT use the "Debug" option. This is for troubleshooting.

Click the "Scan Active Directory" button and you will be directed to the Log page. You can refresh this page to see the status of the audit being performed.

Auditing using a script


To audit your domain, edit the file: c:\xampplite\open-audit\other\audit_domain.vbs

Depending on your system's power, you may wish to ajust the "number_of_audits". I usually use 20. Make sure the "script_name" points to the correct place -
script_name = "c:\xampplite\open-audit\other\audit_windows.vbs"

Put your domain in the domain_array variable as per the examples.

Run the script with: cscript audit_domain.vbs on a Windows 7 or later operating system that is signed into your domain with a user that has "local admin" rights on the target computers (usually I just use a Domain Admin account).

You should see your domain PCs start to get audited by separate audit_windows scripts. They should run and post the result to the database. Go to your web browser and log on to Open-AudIT. You should have a group or two created. Go into one of them and click the machine name. You should see the machine details.

You can also copy the scripts audit_domain.vbs, audit_windows.vbs to another Windows PC (an audit host) and run them against another domain, but submit the results back to a single Open-AudIT server (assuming you can see the Open-AudIT server from the audit host). We have successfully audited multiple domains, submitting thousands of results back to a single Open-AudIT server. Don't forget you can create Groups for the separate domains inside Open-AudIT if required. Along with that you can have Open-AudIT users set to only view the Groups of their respective domains. No need for multiple Open-AudIT servers and multiple audit hosts may distribute the load evenly. You could even audit a single domain from multiple remote hosts by specifying one audit host audit servers and another audit workstations (see options below) and have the domain audits for the different audit hosts run at different times as scheduled tasks. I have found this extremely successful in the past.

Options


The command line arguments are as follows, variable [default] (valid options):

number_of_audits [25] (int) - This is the number of audit_windows.vbs scripts that will spawn at any given time when a list of computers is retrieved from Active Directory.

audit_run_type [local] (local|remote) - Use local only at the moment. This is designed so that if set to remote, the audit_windows script is copied to the target PC and initiated there, then disconneted from, allowing the target machine to audit itself and submit the result to the Open-AudIT server.

remote_user [] (string) - Should be of the format DOMAIN/USERNAME. Runs the script against the target domain and target PC using these credentials.

remote_password [] (string) - Runs the script against the target domain and target PC using these credentials.

script_name [c:\xampplite\open-audit\other\audit_windows.vbs] (string) - Set to the location of audit_windows.vbs that you wish to run against the target PCs.

domain_array [] (array) - If multiple domains are to be audited, they can be input here inside the script only. To audit a single domain, just insert it alone into the array. To request a single domain from the command line, use the variable local_domain (as below).

local_domain [] (string) - Usable from the command line only. Use when needing to audit a single domain and needing to specify it on the command line.

debugging [1] (0-3) - Verbosity of the output to the command line. Set to "0" for no output.

operating_system [windows] (string) - The provided string must match a section of the target PCs Operating System string as provided by Active Directory. IE - to audit all Windows servers, set the string to "Server". Examples in the script.

output_file [] (string) - If set, create an output file of all retrieved systems from active directory.

  • No labels