WMI: Win32_Account class

Hello!

One of our vbs scripts monitors any changes in Win32_Account class:

"
strComputer = "."

Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
Set objEventSource = objWMIService.ExecNotificationQuery ("Select * From __InstanceOperationEvent WITHIN 10 Where TargetInstance isa 'Win32_Account' and TargetInstance.LocalAccount=TRUE")

...

"

The problem is that in spite of adding TargetInstance.LocalAccount=TRUE this code still captures Win32_Account class's changes in ANY domain of our enterprise domain tree, even when connected to "." (locally).

This page https://msdn.microsoft.com/ru-ru/library/windows/desktop/aa394061%28v=vs.85%29.aspx says:

"The Win32_Account abstract WMI class contains information about user accounts and group accounts known to the computer system running Windows. User or group names recognized by a Windows domain are descendants (or members) of this class."

Q1: Does this definition mean that connection to the LOCAL Win32_Account class (".") will capture not only local but domain account modifications (if a computer is a member of a domain) as well, because User or group names recognized by a Windows domain are descendants (or members) of this class?  - that's what I see in my network.

Q2: What should I do to narrow down the scope of the command to the single domain - city2.enterprise.local?

Thank you in advance,

Michael

February 4th, 2015 7:33am

To capture changes to accounts turn on auditing.  You do not need to script this as it is  buit into Windows.

WMI on member servers can only see local account changes.  DCs see changes to domian accounts.

Use auditing for all of this.

Free Windows Admin Tool Kit Click here and download it now
February 4th, 2015 10:19am

" ...You do not need to script... " - I do need this script and just want to have Q1 and Q2 answered.

"WMI on member servers can only see local account changes.  DCs see changes to domian accounts." -no, as I've already said that's not true: when connected to my local workstation (wmi=".") my scripts captures account modifications accross ALL domain tree, including, for instance, modifications made on DC.Enterprise.Local.

Regards,

Michael




  • Edited by MF47 3 hours 35 minutes ago add
February 5th, 2015 2:55am

" ...You do not need to script... " - I do need this script and just want to have Q1 and Q2 answered.

"WMI on member servers can only see local account changes.  DCs see changes to domian accounts." -no, as I've already said that's not true: when connected to my local machine (wmi=".") my scripts captures account modifications accross ALL domain tree, including, for instance, modifications made on DC.Enterprise.Local.

Regards,

Michael



Yes if you are sitting at the achinebut not if you oconnect remotely.  It is the third hop restriction.

A DC can see everything becasue DCs are given delegation authority.

Why would you use WI for this.  We wouldnormally use ADSI or RSAT.  It alows us to finely filter the result.

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 3:00am

Here is how to filter by domain.

gwmi win32_account -filter  'Domain="MYDOMAIN"'

February 5th, 2015 3:03am

"Yes if you are sitting at the achinebut not if you oconnect remotely. " - ??? The script can be run on any domain member(client or server) and when run in loop would report immediately (by mail) that some other administrator has changed something.

Yes, I'm using LogParser's scripts for parsing DC's log as well but those scripts can NOT report at the time of the modification.

"gwmi win32_account -filter  'Domain="MYDOMAIN"'  - Firstly, it's a FILTER so I'll keep getting ALL modifications and then just filtering them. My Q2 is CAN I GET only one domain?

And the main question - Q1 - WHY DO I SEE MODIFICATIONS FROM ALL DOMAINS WHEN CONNECTED TO "."???

Regards,

Michael

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 3:16am

ADSI returns only the currect domain.

If you want immediate notification on account changes use auditing.  It will email you immediately without scanning anything.

Sorry but windows was not designed to work to your specs.  It has a very logical and efficient design.  Once you learn how AD works you will find that it is very flexible.  WMI access to AD is just an extra and not intended to do what you are trying to do.  With auditing you can know and log everything that happens in a very efficient manner.  Polling constantly with WMI is very inefficient and unreliable.

The same is true for the eventlog.  We can trigger taks nspecifc events and we can ship selected events to a database for archival and forensic puposes.

What you are trying to do reminds me of what we had to do back in NT4 days.  Since W2K none of this has been necessary although I notice that many working as techs today do not know about the newer technologies.

Look into auditing and event log publishing and tasks to see what i mean.

February 5th, 2015 3:31am

Sorry, I don't understand it: "Sorry but windows was not designed to work to your specs...WMI access to AD is just an extra and not intended to do what you are trying to do." - if this is the case for what purpose does the Win32_Account class exist?

I don't want to argue over how to monitor account modifications. As Win32_Account class exists I want to clarify its definition:

The Win32_Account abstract WMI class contains information about user accounts and group accounts known to the computer system running Windows. User or group names recognized by a Windows domain are descendants (or members) of this class.

- does it mean that having connected to a domain member (".") with an administrative domain (NOT ENTERPRISE!) account I shoud see modifications from the entire domain tree - yes or no?

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 4:03am

On a domain controller you will see all accounts.

How you connect has nothingto do with what you see. WMI jsut queries the local accounts database.  If the local machine is a GC you will see everything.

As I said.  WMI was not designed to do what you are doing.  It might work but it will not give you much control.

February 5th, 2015 4:07am

Try this:

gwmi win32_userindomain|%{[wmi]($_.PartComponent)}

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 4:22am

"On a domain controller you will see all accounts." - so I should NOT see all accounts when connected to a workstation (Win7)?

February 5th, 2015 9:31am

"gwmi win32_userindomain|%{[wmi]($_.PartComponent)}" - Thank you, I'll read through it.

Regards,

Michael

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 9:34am

" ...You do not need to script... " - I do need this script and just want to have Q1 and Q2 answered.

"WMI on member servers can only see local account changes.  DCs see changes to domian accounts." -no, as I've already said that's not true: when connected to my local workstation (wmi=".") my scripts captures account modifications accross ALL domain tree, including, for instance, modifications made on DC.Enterprise.Local.

Regards,

Michael




  • Edited by MF47 Thursday, February 05, 2015 7:55 AM add
February 5th, 2015 10:52am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics